Stephen Gran on 12 Dec 2007 00:54:13 -0000


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] FYI: Secure BIND Template


On Tue, Dec 11, 2007 at 06:52:58PM -0500, Brian Vagnoni said:
> Secure BIND Template
> 
> http://www.cymru.com/Documents/secure-bind-template.html
> 
> Anyone care to comment.

Yes.  Use DNSSec if you want authentication/authorization/security for
zone transfers.  Keeping things tied down to IP addresses is easier to
set up, but it's not a real security measure.

Creating views are a good idea if you actually have different views of
DNS (GeoDNS and public/private network borders being examples of where
this is useful).  The way they're using it feels like abusing the
concept to me, but YMMV.  In case it's not as clear to others, they have
a mycompany.com zone and an internal.mycompany.net zone being served in
seperate views.   The thing I dislike about that approach is that it's
not two views of the same namespace - it's two namespaces.  You don't
need to use views as extensively as they are for that - just serve both
zones and restrict queries on the internal zone to the internal network.

Views are more helpful when you need to actually serve the same RR but
have it return different values depending on the query source.  So you
might return 192.168.97.4 for a query for www.mycompany.com to an
internal address and 1.2.3.4 for the same query from the outside.

A chroot used to be vital for securing bind, but it's less so in the
last few years.  Bind9 seems to have pretty much gotten it's act
together.

Finally, he doesn't use example.com.  I thought everybody who wrote
about DNS uses example.com - there's an RFC and everything.

That being said, it's a good introductory article to some of the neat
things you can do with bind.  Bind is a hard to use, but very useful
piece of software.  I highly recommend the O'Reilly book if you want to
do anything serious with it.
-- 
 --------------------------------------------------------------------------
|  Stephen Gran                  | I suppose one could claim that an       |
|  steve@lobefin.net             | undocumented feature has no semantics.  |
|  http://www.lobefin.net/~steve | :-(   -- Larry Wall in                  |
|                                | <199710290036.QAA01818@wall.org>        |
 --------------------------------------------------------------------------

Attachment: signature.asc
Description: Digital signature

___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug