Date: Mon, 23 Aug 1999 13:01:16 -0700 From: "Jan B. Koum " <jkb@best.com> To: Matthew Dillon <dillon@apollo.backplane.com>, Nate Williams <nate@mt.sri.com> Cc: freebsd-security@FreeBSD.ORG Subject: Re: IPFW/DNS rules Message-ID: <19990823130116.B1797@best.com> In-Reply-To: <199908231948.MAA10395@apollo.backplane.com>; from Matthew Dillon on Mon, Aug 23, 1999 at 12:48:09PM -0700 References: <199908231935.NAA01122@mt.sri.com> <199908231948.MAA10395@apollo.backplane.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Aug 23, 1999 at 12:48:09PM -0700, Matthew Dillon <dillon@apollo.backplane.com> wrote: > :I've got some rules in place, but if someone has gotten DNS firewall > :rules I'd be grateful to see them. > : > :Thanks! > : > :Nate > > If you are primary for one or more domains the server that serves those > domains should be configured for read-only operation. It should not be > configured as a caching server. If you do that the server will be > reasonably well protected. > > You can create allow/deny lists in named.conf, configuration options are > well documented in the bind distribution, in your source tree: > > file:/usr/src/contrib/bind/doc/html/ > > -Matt > Matthew Dillon > <dillon@backplane.com> One can also run named in chroot() environment and as non-root user. In fact, this is exactly what we are doing where I work: 85-jkb(nautilus)% ssh dns1.corp ps ax | grep named 106 ?? Ss 0:30.01 syslogd -s -l /var/named/dev/log 27897 ?? Ss 1047:54.55 /var/named/named -u bind -g bind -t /var/named -- yan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19990823130116.B1797>