Hi, On my public servers, I usually run BIND for DNS. I see CentOS offers a preconfigured (sort of) bind-chroot package. I wonder what's the effective benefit of this vs. a "normal" BIND setup without chroot. On my Slackware servers, I have a rather Keep-It-Simple approach to all things security, e. g. run no unneed services, open only needed ports etc. but I don't run the extra mile (and haven't been bitten so far). Any suggestions? (No flamefest please.) Niki -- Microlinux - Solutions informatiques durables 7, place de l'?glise - 30730 Montpezat Web : http://www.microlinux.fr Mail : info at microlinux.fr T?l. : 04 66 63 10 32
On 4/12/2017 3:11 PM, Nicolas Kovacs wrote:> On my public servers, I usually run BIND for DNS. I see CentOS offers a > preconfigured (sort of) bind-chroot package. I wonder what's the > effective benefit of this vs. a "normal" BIND setup without chroot. On > my Slackware servers, I have a rather Keep-It-Simple approach to all > things security, e. g. run no unneed services, open only needed ports > etc. but I don't run the extra mile (and haven't been bitten so far). > > Any suggestions? (No flamefest please.)bind went through a rocky stage where there were a LOT of security holes in it. by running it in a chroot, you limit its ability to be used as a hacking point of entry. recent versions of bind (basicially, 9 and newer) are much more secure, so this is less of a concern. -- john r pierce, recycling bits in santa cruz
On 04/12/2017 06:18 PM, John R Pierce wrote:> On 4/12/2017 3:11 PM, Nicolas Kovacs wrote: >> On my public servers, I usually run BIND for DNS. I see CentOS offers a >> preconfigured (sort of) bind-chroot package. I wonder what's the >> effective benefit of this vs. a "normal" BIND setup without chroot. On >> my Slackware servers, I have a rather Keep-It-Simple approach to all >> things security, e. g. run no unneed services, open only needed ports >> etc. but I don't run the extra mile (and haven't been bitten so far). >> >> Any suggestions? (No flamefest please.) > > > bind went through a rocky stage where there were a LOT of security > holes in it. by running it in a chroot, you limit its ability to be > used as a hacking point of entry. recent versions of bind > (basicially, 9 and newer) are much more secure, so this is less of a > concern. > >But make sure to have SELinux enabled if you do not run it chrooted. I have mine running that way.
Le 13/04/2017 ? 00:18, John R Pierce a ?crit :> > bind went through a rocky stage where there were a LOT of security holes > in it. by running it in a chroot, you limit its ability to be used as a > hacking point of entry. recent versions of bind (basicially, 9 and > newer) are much more secure, so this is less of a concern.OK. Thanks for the clarification. Niki -- Microlinux - Solutions informatiques durables 7, place de l'?glise - 30730 Montpezat Web : http://www.microlinux.fr Mail : info at microlinux.fr T?l. : 04 66 63 10 32