Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 14 Nov 1999 11:03:47 -0500 (EST)
From:      Barrett Richardson <barrett@phoenix.aye.net>
To:        Brett Glass <brett@lariat.org>
Cc:        Peter Wemm <peter@netplex.com.au>, Bill Fumerola <billf@chc-chimes.com>, Cy Schubert - ITSD Open Systems Group <Cy.Schubert@uumail.gov.bc.ca>, security@FreeBSD.ORG
Subject:   Re: Why not sandbox BIND? 
Message-ID:  <Pine.BSF.4.01.9911141056170.16333-100000@phoenix.aye.net>
In-Reply-To: <Pine.BSF.4.01.9911140848330.29218-100000@phoenix.aye.net>

next in thread | previous in thread | raw e-mail | index | archive | help

Hmm, I got a bounce from hub on this message but here it is in the
list, curious. Oh well I'll add a couple of things.

On Sun, 14 Nov 1999, Barrett Richardson wrote:

> 
> 
> On Fri, 12 Nov 1999, Brett Glass wrote:
> 
> > It'd be a shame if a PPP dial-up server couldn't sandbox BIND,
> > since it's a good idea to keep a DNS server as close to the
> > dial-ups as possible. Any ideas about how one might work around
> > this, short of going to a capabilities-based security model?
> > 
> > --Brett
> > 
> 
> I run bind on my box I dial an ISP with, I just use a directive like

I failed to mention I have it sandboxed with "-u bind -g bind". I get
a dynamic ip assignment on dial up and it works ok.

> 
>   listen-on port 53 {
>       127.0.0.1;
>   };
> 
> For a dial up server you should be able to add a routable ip to the
> loopback and listen on that.

After a little more thought, this is unnecessary, you could add the
listen-on directive for any ip on a interface which is not subject to
change, like an ethernet.

-

Barrett (again)

> 
> -
> 
> Barrett
> 
> 



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.01.9911141056170.16333-100000>