New Work Study Job
Rich Braun
richb at pioneer.ci.net
Fri Oct 3 12:31:19 EDT 2003
Johannes Ullrich <jullrich at euclidian.com> wrote:
> Thomas Leonard <ike6116 at mac.com> wrote:
>> The other guy who knows about Linux
>> said he wanted it chroot jail-ed and configurable by webmin if
>> possible.
>
>[See]
> http://www.cymru.com/Documents/secure-bind-template.html
> and the chroot howto:
>
> http://en.tldp.org/HOWTO/Chroot-BIND-HOWTO.html
For what it's worth, I took a look at the Chroot howto noted above and
confirmed that Suse 8.2's startup scripts follow the recommendations contained
in this howto. You get a chroot jail "out of the box".
Creating a caching-only name server, you won't need a lot of the items in that
template. But it's good to protect the DNS config with its own ACL limiting
access to onsite users only, and additionally to block ports 53 and 953 at the
firewall (unless you've got another DNS server that has to be open to the rest
of the 'net).
Bind9 is pretty secure but you do have to watch for CERT advisories.
Occasional security holes are found in it and you have to stay on top of
upgrades.
Probably the most tedious part of your project will be updating client systems
to use the new server IP address, unless everything is already getting its DNS
server info via DHCP...
-rich
More information about the Discuss
mailing list