BIND has been around longer than I have, so most of my knowledge on the subject
is in retrospect. However, from everything that I have read and heard from
people, there hasn't been a version of bind yet that hasn't had some sort of
major security vulnerability. I'm not sure if it is because the crackers are
better, the systems are more powerful, or if it is the simple fact that DNS (as
well as most internet-based services) were designed with openness in mind, not
security. Most services were meant to be used by large numbers of nameless,
faceless users, and to make them as easily accessible as possible, they were
left wide open. Now that we depend op things like DNS, it's hard to implement a
new way of doing things with security in mind. We can build on what we have,
but if the basic building blocks are vulnerable, then all you can do is tighten
it as much as possible, and assess the risk of what is left.
Just my $.01,
Kenny
Jeff Macdonald wrote:
> I've been cracked via bind 4 times over the past year. Each bind was a
> different version. The last time was my workstation on a LAN at work. Yes,
> the LAN should of been firewalled, but more important is to not run
> services that you don't really need. For workstations, use the workstation
> install, and you'll get less services started automatically. Add those that
> you need by hand after the install.
>
> One last thing, does Redhat 6.2 configure bind to not run as root? Wouldn't
> that keep buffer overflows from doing to much damage?
>
> At 03:10 PM 4/22/00 -0400, Derek Martin wrote:
>
> >I believe I have identified how my system was compromized. CERT has
> >released this advisory regarding BIND 8.2:
> >
> > http://www.cert.org/advisories/CA-99-14-bind.html
> >
> >If you are running BIND on an Internet accessible RH6.1 machine, go get
> >the updates NOW!
> >
> >--
> >PGP/GPG Public key at http://cerberus.ne.mediaone.net/~derek/pubkey.txt
> >------------------------------------------------------
> >Derek D. Martin | Unix/Linux Geek
> >[EMAIL PROTECTED] | [EMAIL PROTECTED]
> >------------------------------------------------------
> >
> >
> >**********************************************************
> >To unsubscribe from this list, send mail to
> >[EMAIL PROTECTED] with the following text in the
> >*body* (*not* the subject line) of the letter:
> >unsubscribe gnhlug
> >**********************************************************
>
> **********************************************************
> To unsubscribe from this list, send mail to
> [EMAIL PROTECTED] with the following text in the
> *body* (*not* the subject line) of the letter:
> unsubscribe gnhlug
> **********************************************************
**********************************************************
To unsubscribe from this list, send mail to
[EMAIL PROTECTED] with the following text in the
*body* (*not* the subject line) of the letter:
unsubscribe gnhlug
**********************************************************
