From owner-freebsd-security  Sun Nov 14  7:33:57 1999
Delivered-To: freebsd-security@freebsd.org
Received: from phoenix.aye.net (phoenix.aye.net [198.7.192.5])
	by hub.freebsd.org (Postfix) with SMTP id 413FD14FD0
	for <security@FreeBSD.ORG>; Sun, 14 Nov 1999 07:33:47 -0800 (PST)
	(envelope-from barrett@phoenix.aye.net)
Received: (qmail 625 invoked by uid 1000); 14 Nov 1999 13:54:13 -0000
Received: from localhost (sendmail-bs@127.0.0.1)
  by localhost with SMTP; 14 Nov 1999 13:54:13 -0000
Date: Sun, 14 Nov 1999 08:54:13 -0500 (EST)
From: Barrett Richardson <barrett@phoenix.aye.net>
To: Brett Glass <brett@lariat.org>
Cc: Peter Wemm <peter@netplex.com.au>,
	Bill Fumerola <billf@chc-chimes.com>,
	Cy Schubert - ITSD Open Systems Group <Cy.Schubert@uumail.gov.bc.ca>,
	security@FreeBSD.ORG
Subject: Re: Why not sandbox BIND? 
In-Reply-To: <4.2.0.58.19991112102519.045cf510@localhost>
Message-ID: <Pine.BSF.4.01.9911140848330.29218-100000@phoenix.aye.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org



On Fri, 12 Nov 1999, Brett Glass wrote:

> It'd be a shame if a PPP dial-up server couldn't sandbox BIND,
> since it's a good idea to keep a DNS server as close to the
> dial-ups as possible. Any ideas about how one might work around
> this, short of going to a capabilities-based security model?
> 
> --Brett
> 

I run bind on my box I dial an ISP with, I just use a directive like

  listen-on port 53 {
      127.0.0.1;
  };

For a dial up server you should be able to add a routable ip to the
loopback and listen on that.

-

Barrett



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message