Date: Sun, 19 Aug 2001 21:14:26 +0100 From: setantae <setantae@submonkey.net> To: Ted Mittelstaedt <tedm@toybox.placo.com> Cc: freebsd-questions@FreeBSD.ORG Subject: Re: chroot'ing named(8) Message-ID: <20010819211426.A689@rhadamanth> In-Reply-To: <001c01c1281a$06987500$1401a8c0@tedm.placo.com>; from tedm@toybox.placo.com on Sat, Aug 18, 2001 at 12:14:38PM -0700 References: <20010817122110.A11537@rhadamanth> <001c01c1281a$06987500$1401a8c0@tedm.placo.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, Aug 18, 2001 at 12:14:38PM -0700, Ted Mittelstaedt wrote: > One thing you might consider is that espically with nameservices, that > you really ought to be running the nameserver on a box that is completely > separate from all your other systems. If the DNS goes away then the > entire network is junk. By contrast failure of any other single server > won't take the network with it. > > Also, Internet regulations require a total of two nameservers, on separate > networks. IMHO both should be protected by an access list on your border > routers that blocks off all ports not needed. On top of that you should be > backing up the bind files regularly, and for all public servers you should > be following the patch notifications every day. If you do all or most of this > then I think you will find that the need for running named in a sandbox is > greatly alleviated. Sorry, Ted but I fail to see how your reply addresses even one of the concerns raised in my original mail. I'm perfectly aware of the concept of a dedicated server and I do know the RFCs (I'm hostmaster for an ISP here in the UK). My point was that although I know how to do it, it's not documented anywhere, the steps in the handbook will not result in a working secondary nameserver, and it could be a lot easier. Also, the steps required are now available in the archives for this list. Are you saying that an extra layer of security is pointless, so chroot'ing named _should_ be hard ? Ceri -- keep a mild groove on To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010819211426.A689>