You can also run bind as non-root (e.g. nobody) and chrooted to its own
little partition. You can also prevent outside requests at the fire
wall by filtering on the ACK bit. It's not much of a security risk that
way.
Performance wise, always use forwarders if you are running a caching
only server. It's much faster that way.
Yan
Markus Stumpf wrote:
>
> On Thu, Aug 12, 1999 at 02:13:50PM -0700, Russ Allbery wrote:
> ? Er... if it's handling a reasonably high volume of mail. If it's only
> ? churning out a message or two every ten minutes, I wouldn't bother; BIND
> ? is a huge memory hog and also a program that tends to have to be
> ? frequently upgraded due to security holes.
>
> We've come around this by configuring bind only to listen on 127.0.0.1
> and we've put
> ------------------------------------------------------------------------
> domain space.net
> nameserver 127.0.0.1
> nameserver 195.30.0.2
> nameserver 195.30.0.1
> ------------------------------------------------------------------------
> into /etc/resolv.conf
>
> This makes the bind running on the mailserver inaccessible from the
> outside and as there are only few trusted users on the mailhub exploits
> which use access/priviledge holes on the local filesystem are not
> really that big a problem.
>
> Other than that I agree that a named on a very low volume mail server
> is not really needed.
>
> \Maex
>
> --
> SpaceNet GmbH | http://www.Space.Net/ | Yeah, yo mama dresses
> Research ? Development | mailto:[EMAIL PROTECTED] | you funny and you need
> Joseph-Dollinger-Bogen 14 | Tel: +49 (89) 32356-0 | a mouse to delete files
> D-80807 Muenchen | Fax: +49 (89) 32356-299 |
--
__ __
| / /
/------/
-- / \ / \ --
/ /\ \ / /\ \
| / | \/--|-- |
\ / \ /
~~ ~~
"The older I get, the faster I was."
