Date: Sat, 18 Aug 2001 12:14:38 -0700 From: "Ted Mittelstaedt" <tedm@toybox.placo.com> To: "setantae" <setantae@submonkey.net>, <freebsd-questions@FreeBSD.ORG> Subject: RE: chroot'ing named(8) Message-ID: <001c01c1281a$06987500$1401a8c0@tedm.placo.com> In-Reply-To: <20010817122110.A11537@rhadamanth>
next in thread | previous in thread | raw e-mail | index | archive | help
One thing you might consider is that espically with nameservices, that you really ought to be running the nameserver on a box that is completely separate from all your other systems. If the DNS goes away then the entire network is junk. By contrast failure of any other single server won't take the network with it. Also, Internet regulations require a total of two nameservers, on separate networks. IMHO both should be protected by an access list on your border routers that blocks off all ports not needed. On top of that you should be backing up the bind files regularly, and for all public servers you should be following the patch notifications every day. If you do all or most of this then I think you will find that the need for running named in a sandbox is greatly alleviated. Ted Mittelstaedt tedm@toybox.placo.com Author of: The FreeBSD Corporate Networker's Guide Book website: http://www.freebsd-corp-net-guide.com >-----Original Message----- >From: owner-freebsd-questions@FreeBSD.ORG >[mailto:owner-freebsd-questions@FreeBSD.ORG]On Behalf Of setantae >Sent: Friday, August 17, 2001 4:21 AM >To: freebsd-questions@FreeBSD.ORG >Subject: chroot'ing named(8) > > > >I've been fighting with setting up named to run in a sandbox on FreeBSD >this morning and I've found that it's non-trivial on FreeBSD. >Yes, you can get there if you know which manpages to read, but I'm >thinking of new users here. > >This is what I've had to do so far : > >1) /etc/namedb is not populated with var/run, var/tmp, dev/null by default. > >2) I have also had to add ``-l /etc/namedb/dev/log" to syslogd_flags - this > isn't suggested in the Handbook. > >3) I've had to compile a static copy of named-xfer to install in >/etc/namedb - > this also is not documented in the Handbook (it's not even suggested that > you'll need a copy in the sandbox). > I'm also concerned that I'll need to do this now everytime a change is > made to the source tree in src/contrib/bind. > >4) I don't like the fact that it's in /etc by default. > Assume I was secondarying several thousand zones - space on / is an issue. > (Yes, I know I can change this). > >I think at least that the Handbook needs to be looked at (I'm willing to do >this but it'll be in ascii as I'm still learning DocBook and will take a few >days as I have visitors this weekend). > >Also, I think the entire issue of running named in a chroot environment needs >to be made easier - setting this up on OpenBSD _is_ trivial. > >I feel I've only been able to get this successfully set up because I've done >it before on other systems - it would be good if this could be made easier in >the way that OpenBSD have achieved this. >I'm not necessarily suggesting that named is run in a chroot environment by >default, but setting it up to do so could be made a lot easier. > >Any comments are welcome (even if they're just ``Stop moaning''). > >Ceri > >-- >One of the lessons of history is that nothing is often a good thing to >do and always a clever thing to say. > -- Will Durant > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-questions" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?001c01c1281a$06987500$1401a8c0>