Date: Thu, 04 Jun 1998 22:22:24 +0200 From: sthaug@nethelp.no To: crowland@psionic.com Cc: roberto@keltia.freenix.fr, freebsd-security@FreeBSD.ORG Subject: Re: /usr/sbin/named Message-ID: <20254.896991744@verdi.nethelp.no> In-Reply-To: Your message of "Mon, 1 Jun 1998 09:58:26 -0400 (EDT)" References: <Pine.LNX.3.96.980601095150.26752A-100000@dolemite.psionic.com>
next in thread | previous in thread | raw e-mail | index | archive | help
> Version 8.x has several new options that allow securing BIND more > reasonably: > > -t - chroot() directory > -u - UID to run under after bind() > -g - GID to run under after bind() > > I have a web page up that describes how to run BIND 8.x under a chroot() > environment under OpenBSD 2.x. A lot of the information should apply to > FreeBSD as well. Here is the URL: > > http://www.psionic.com/papers/dns.html Note that you may want to correct Step Seven on your Web page. Advising people to block TCP access to port 53 is *not* a good idea, for the following reasons: - Normal DNS queries using TCP are perfectly legitimate. - The spec states that if an answer is truncated (TC bit set), the query *should* be retried using TCP instead of UDP. Steinar Haug, Nethelp consulting, sthaug@nethelp.no To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20254.896991744>