Re: New BIND server
On Wed, Oct 28, 2009 at 11:27 AM, NéoSynergix | Martin Dubreuil martin.dubre...@neosynergix.com wrote: but would like to get your tips and tricks to secure your BIND servers before putting it into production. A little vague here. You haven't defined what your intentions are. Is this an authoritative only server for zones? Recursive server for clients? Other questions I can't think of at the moment? -- aRDy Music and Rick Dicaire present: http://www.ardynet.com http://www.ardynet.com:9000/ardymusic.ogg.m3u ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: New BIND server
Yes sorry, This DNS server is only to resolve our local hosted domain names - authoritative only server - WITH no recursion -Original Message- From: Rick Dicaire [mailto:kri...@gmail.com] Sent: 28 octobre 2009 12:01 To: martin.dubre...@neosynergix.com Cc: bind-users@lists.isc.org Subject: Re: New BIND server On Wed, Oct 28, 2009 at 11:27 AM, NéoSynergix | Martin Dubreuil martin.dubre...@neosynergix.com wrote: but would like to get your tips and tricks to secure your BIND servers before putting it into production. A little vague here. You haven't defined what your intentions are. Is this an authoritative only server for zones? Recursive server for clients? Other questions I can't think of at the moment? -- aRDy Music and Rick Dicaire present: http://www.ardynet.com http://www.ardynet.com:9000/ardymusic.ogg.m3u ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: New BIND server
On 28.10.09 11:27, NéoSynergix | Martin Dubreuil wrote: I have setup a new Ubuntu 9.04 server with BIND9. but would like to get your tips and tricks to secure your BIND servers before putting it into production. What do you mean secure? Default installation should not allowanything that might be unsecure. Only take care about allow-recursion setting if you plan to use it as recursive (if not, recursion no should be in the config)) and that should be enough for now. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. 42.7 percent of all statistics are made up on the spot. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: New BIND server
Hello BIND users, I have setup a new Ubuntu 9.04 server with BIND9. I have looked at a few tutorial and how to's like this one: https://help.ubuntu.com/community/BIND9ServerHowto but would like to get your tips and tricks to secure your BIND servers before putting it into production. Thanks, Neosys Aside from standard OS level hardening that should have already been done, I would recommend looking over the following: http://www.cymru.com/Documents/secure-bind-template.html Thanks... Justin ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: New BIND server
Yeah, look it over, but take the zone-transfer restrictions and version-obfuscation stuff with a bit of a grain of salt. Those parts are a little too PHSCSE (Pointy-Haired So-Called Security Expert)-ish for my tastes, verging on Theater. At least they finally got rid of the bogon stuff. Chroot and unprivileged, on the other hand, are _de_rigeur_ for anything facing the Internet directly, as is view separation (or, to be more hardcore, process-instance/listen-on or machine separation) between recursive-resolver and non-recursive/authoritative roles. If you're slaving, you'd also want to set up TSIG-authentication between masters and slaves. That's not shown in the template. - Kevin Dixon, Justin wrote: Hello BIND users, I have setup a new Ubuntu 9.04 server with BIND9. I have looked at a few tutorial and how to’s like this one: https://help.ubuntu.com/community/BIND9ServerHowto but would like to get your tips and tricks to secure your BIND servers before putting it into production. Thanks, Neosys Aside from standard OS level hardening that should have already been done, I would recommend looking over the following: http://www.cymru.com/Documents/secure-bind-template.html Thanks… Justin ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users