From owner-freebsd-security  Mon Apr 22 13:36:34 2002
Delivered-To: freebsd-security@freebsd.org
Received: from point.osg.gov.bc.ca (point.osg.gov.bc.ca [142.32.102.44])
	by hub.freebsd.org (Postfix) with ESMTP id 76C2937B400
	for <freebsd-security@FreeBSD.ORG>; Mon, 22 Apr 2002 13:36:22 -0700 (PDT)
Received: (from daemon@localhost)
	by point.osg.gov.bc.ca (8.8.7/8.8.8) id GAA27887;
	Mon, 22 Apr 2002 06:42:49 -0700
Received: from passer.osg.gov.bc.ca(142.32.110.29)
 via SMTP by point.osg.gov.bc.ca, id smtpda27885; Mon Apr 22 06:42:33 2002
Received: (from uucp@localhost)
	by passer.osg.gov.bc.ca (8.11.6/8.9.1) id g3MDgRE42352;
	Mon, 22 Apr 2002 06:42:27 -0700 (PDT)
Received: from UNKNOWN(10.1.2.1), claiming to be "cwsys.cwsent.com"
 via SMTP by passer9.cwsent.com, id smtpde42348; Mon Apr 22 06:41:37 2002
Received: from cwsys (localhost [127.0.0.1])
	by cwsys.cwsent.com (8.12.3/8.12.3) with ESMTP id g3MDfajj083200;
	Mon, 22 Apr 2002 06:41:36 -0700 (PDT)
	(envelope-from cy@cwsys.cwsent.com)
Message-Id: <200204221341.g3MDfajj083200@cwsys.cwsent.com>
X-Mailer: exmh version 2.5 07/13/2001 with nmh-1.0.4
Reply-To: Cy Schubert - CITS Open Systems Group <Cy.Schubert@uumail.gov.bc.ca>
From: Cy Schubert - CITS Open Systems Group <Cy.Schubert@uumail.gov.bc.ca>
X-Sender: schubert
To: mlobo@ear.com.br
Cc: freebsd-security@FreeBSD.ORG
Subject: Re: DNS Question 
In-Reply-To: Message from "Mario Lobo" <Mlobo@ear.com.br> 
   of "Mon, 22 Apr 2002 07:57:08 -0300." <3CC3C250.28097.2D5EA4@localhost> 
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Date: Mon, 22 Apr 2002 06:41:36 -0700
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

In message <3CC3C250.28097.2D5EA4@localhost>, "Mario Lobo" writes:
> Hi; 
> 
> I have a DNS (named) server running on a FreeBSD 4.4 box firewall. 
> 
> ipfw allows queries to ports 53 and 1024 from any IP inside the private 
> network (internal interface) and only certain ISP IPs on the external
> interface. 
> 
> I need to open those ports to any IP on the external interface. 
> 
> Is there any security concerns I should have if I do this ? The only
> services I have running are ssh (restricted to specific IPs) and squid
> (local only). 

Personally, I would run the DNS in a jail or chrooted, e.g.

  TZ=PST8PDT exec $NAMED -c $NAMED_CONF -u $NAMED_UID -g $NAMED_GID -t 
$NAMED_CHROOT


Cheers,                          Phone:  250-387-8437
Cy Schubert                        Fax:  250-387-5766
Team Leader, Sun/Alpha Team      Email:  Cy.Schubert@osg.gov.bc.ca
Open Systems Group, CITS
Ministry of Management Services
Province of BC            
                    FreeBSD UNIX:  cy@FreeBSD.org



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message