Re: [PLUG] FYI: Secure BIND Template

Stephen Gran on 12 Dec 2007 00:54:13 -0000

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] FYI: Secure BIND Template

From: Stephen Gran <steve@lobefin.net>

To: plug@lists.phillylinux.org

Subject: Re: [PLUG] FYI: Secure BIND Template

Date: Wed, 12 Dec 2007 00:54:03 +0000

Mail-followup-to: plug@lists.phillylinux.org

Reply-to: Philadelphia Linux User's Group Discussion List <plug@lists.phillylinux.org>

Sender: plug-bounces@lists.phillylinux.org

User-agent: Mutt/1.5.13 (2006-08-11)

On Tue, Dec 11, 2007 at 06:52:58PM -0500, Brian Vagnoni said: > Secure BIND Template > > http://www.cymru.com/Documents/secure-bind-template.html > > Anyone care to comment. Yes. Use DNSSec if you want authentication/authorization/security for zone transfers. Keeping things tied down to IP addresses is easier to set up, but it's not a real security measure. Creating views are a good idea if you actually have different views of DNS (GeoDNS and public/private network borders being examples of where this is useful). The way they're using it feels like abusing the concept to me, but YMMV. In case it's not as clear to others, they have a mycompany.com zone and an internal.mycompany.net zone being served in seperate views. The thing I dislike about that approach is that it's not two views of the same namespace - it's two namespaces. You don't need to use views as extensively as they are for that - just serve both zones and restrict queries on the internal zone to the internal network. Views are more helpful when you need to actually serve the same RR but have it return different values depending on the query source. So you might return 192.168.97.4 for a query for www.mycompany.com to an internal address and 1.2.3.4 for the same query from the outside. A chroot used to be vital for securing bind, but it's less so in the last few years. Bind9 seems to have pretty much gotten it's act together. Finally, he doesn't use example.com. I thought everybody who wrote about DNS uses example.com - there's an RFC and everything. That being said, it's a good introductory article to some of the neat things you can do with bind. Bind is a hard to use, but very useful piece of software. I highly recommend the O'Reilly book if you want to do anything serious with it. -- -------------------------------------------------------------------------- | Stephen Gran | I suppose one could claim that an | | steve@lobefin.net | undocumented feature has no semantics. | | http://www.lobefin.net/~steve | :-( -- Larry Wall in | | | <199710290036.QAA01818@wall.org> | --------------------------------------------------------------------------
Attachment: signature.asc
Description: Digital signature

___________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug

References:

[PLUG] FYI: Secure BIND Template
From: "Brian Vagnoni" <bvagnoni@v-system.net>

Prev by Date: [PLUG] FYI: LiPS Specification 1.x Available

Next by Date: Re: [PLUG] FYI: Secure BIND Template

Previous by thread: [PLUG] FYI: Secure BIND Template

Next by thread: Re: [PLUG] FYI: Secure BIND Template

Index(es):

Date

Thread