Re: [PLUG] FYI: Secure BIND Template

[Jason <jcostom@gmail.com>]

On 12/11/07, Brian Vagnoni <bvagnoni@v-system.net> wrote:
> Secure BIND Template
>
> http://www.cymru.com/Documents/secure-bind-template.html
>
> Anyone care to comment.

A couple of things I took note of..

1. Zone transfer acl.  Early on in the config file, there's an acl for
zone xfers that suggests simply making a list of DNS servers
authorized to perform zone xfers.  Further down in the same file, they
attach that acl to the allow-transfer {} statement.  This applies the
configuration globally.  I'm not fond of that.  It would certainly
work for sites that have 2 nameservers and always use the same pri &
secondary servers.  However, for those of us with a single server, and
groups of "friends" that exchange secondary dns services, I don't
think it's so hot.  Why?  Suppose you've got domain[1..5].com, and
you're splitting up secondary dns over 3 different other nameservers.
Now you're granting the ability to zone xfers to the systems that are
NOT secondary for some domains.  Better doing allow-transfer {} on a
per-zone basis, IMHO.

2. Logging. I'd guess 99% of the bind servers out there do absolutely
zero logging.  They may be a bit over-zealous about their logging, but
more is better than not enough.

3. Chroot. Always sound advice to jail a daemon that interacts with
the outside world.  Not a panacea, but defense in depth is usually a
good thing.

4. Views. Wonderful!  You'd be shocked how many companies publish
their full internal zones unknowingly.

5. There is no 5.
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug