bind-9 and static
Kevin Darcy
kcd at daimlerchrysler.com
Thu Sep 21 00:04:44 UTC 2000
Dave Wreski wrote:
> > What benefit is there in running it as static?
>
> An attempt to limit the exposure and number of available avenues for
> further damage.
I think the prevailing wisdom is that if someone cracks you far enough to be
able to muck with your shared libraries, you're already pretty much owned by
them anyway. So why bother with the ugliness, inconvenience and resource
impact of static-linking?
Running named as a non-privileged user in a chroot jail, with copious logging
and log-analysis, probably gives you much better returns for your investment
in securing BIND. If you're particularly concerned about someone mucking with
your system binaries, including but not limited to shared libraries, run a
file-access monitoring tool as well.
- Kevin
More information about the bind-users
mailing list