From owner-freebsd-questions Sun Aug 19 13:13:56 2001 Delivered-To: freebsd-questions@freebsd.org Received: from relay3-gui.server.ntli.net (relay3-gui.server.ntli.net [194.168.4.200]) by hub.freebsd.org (Postfix) with ESMTP id C6A9537B40E for ; Sun, 19 Aug 2001 13:13:47 -0700 (PDT) (envelope-from setantae@submonkey.net) Received: from m737-mp1-cvx2a.bri.ntl.com ([62.255.18.225] helo=rhadamanth.private.submonkey.net) by relay3-gui.server.ntli.net with esmtp (Exim 3.03 #2) id 15YYhH-0005vr-00; Sun, 19 Aug 2001 20:57:23 +0100 Received: from setantae by rhadamanth.private.submonkey.net with local (Exim 3.22 #1) id 15YYxm-0000BZ-00; Sun, 19 Aug 2001 21:14:26 +0100 Date: Sun, 19 Aug 2001 21:14:26 +0100 From: setantae To: Ted Mittelstaedt Cc: freebsd-questions@FreeBSD.ORG Subject: Re: chroot'ing named(8) Message-ID: <20010819211426.A689@rhadamanth> References: <20010817122110.A11537@rhadamanth> <001c01c1281a$06987500$1401a8c0@tedm.placo.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <001c01c1281a$06987500$1401a8c0@tedm.placo.com>; from tedm@toybox.placo.com on Sat, Aug 18, 2001 at 12:14:38PM -0700 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Sat, Aug 18, 2001 at 12:14:38PM -0700, Ted Mittelstaedt wrote: > One thing you might consider is that espically with nameservices, that > you really ought to be running the nameserver on a box that is completely > separate from all your other systems. If the DNS goes away then the > entire network is junk. By contrast failure of any other single server > won't take the network with it. > > Also, Internet regulations require a total of two nameservers, on separate > networks. IMHO both should be protected by an access list on your border > routers that blocks off all ports not needed. On top of that you should be > backing up the bind files regularly, and for all public servers you should > be following the patch notifications every day. If you do all or most of this > then I think you will find that the need for running named in a sandbox is > greatly alleviated. Sorry, Ted but I fail to see how your reply addresses even one of the concerns raised in my original mail. I'm perfectly aware of the concept of a dedicated server and I do know the RFCs (I'm hostmaster for an ISP here in the UK). My point was that although I know how to do it, it's not documented anywhere, the steps in the handbook will not result in a working secondary nameserver, and it could be a lot easier. Also, the steps required are now available in the archives for this list. Are you saying that an extra layer of security is pointless, so chroot'ing named _should_ be hard ? Ceri -- keep a mild groove on To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message