From owner-freebsd-security  Mon Aug 23 13: 2:19 1999
Delivered-To: freebsd-security@freebsd.org
Received: from shell6.ba.best.com (shell6.ba.best.com [206.184.139.137])
	by hub.freebsd.org (Postfix) with ESMTP id 4375414FC9
	for <freebsd-security@FreeBSD.ORG>; Mon, 23 Aug 1999 13:02:13 -0700 (PDT)
	(envelope-from jkb@shell6.ba.best.com)
Received: (from jkb@localhost)
	by shell6.ba.best.com (8.9.3/8.9.2/best.sh) id NAA05013;
	Mon, 23 Aug 1999 13:01:17 -0700 (PDT)
Message-ID: <19990823130116.B1797@best.com>
Date: Mon, 23 Aug 1999 13:01:16 -0700
From: "Jan B. Koum " <jkb@best.com>
To: Matthew Dillon <dillon@apollo.backplane.com>,
	Nate Williams <nate@mt.sri.com>
Cc: freebsd-security@FreeBSD.ORG
Subject: Re: IPFW/DNS rules
References: <199908231935.NAA01122@mt.sri.com> <199908231948.MAA10395@apollo.backplane.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Mailer: Mutt 0.93.2i
In-Reply-To: <199908231948.MAA10395@apollo.backplane.com>; from Matthew Dillon on Mon, Aug 23, 1999 at 12:48:09PM -0700
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Mon, Aug 23, 1999 at 12:48:09PM -0700, Matthew Dillon <dillon@apollo.backplane.com> wrote:
> :I've got some rules in place, but if someone has gotten DNS firewall
> :rules I'd be grateful to see them.
> :
> :Thanks!
> :
> :Nate
> 
>     If you are primary for one or more domains the server that serves those
>     domains should be configured for read-only operation.  It should not be
>     configured as a caching server.  If you do that the server will be
>     reasonably well protected.
> 
>     You can create allow/deny lists in named.conf, configuration options are
>     well documented in the bind distribution, in your source tree:
> 
> 	file:/usr/src/contrib/bind/doc/html/
> 
> 					-Matt
> 					Matthew Dillon 
> 					<dillon@backplane.com>


One can also run named in chroot() environment and as non-root user. In
fact, this is exactly what we are doing where I work:

85-jkb(nautilus)% ssh dns1.corp ps ax | grep named
  106  ??  Ss     0:30.01 syslogd -s -l /var/named/dev/log
27897  ??  Ss   1047:54.55 /var/named/named -u bind -g bind -t /var/named


-- yan


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message