chrooting bind
Brad Knowles
brad.knowles at skynet.be
Thu Aug 16 16:18:29 UTC 2001
At 4:28 PM +0100 8/16/01, Jack Howard wrote:
> If the rest of the systems contains stuff sensitive enough that you
> really need to be that security conscious, wouldn't it be better to run
> the nameserver on a totally separate box? Then no matter what
> vulnerability is exploited, there is no way back to anywhere else.
Oh, you do that anyway. IMO, if you don't, then you are stupid.
However, once someone has broken into your nameserver machines,
odds are that they can get a lot of other machines on your network to
trust them (unless they're out in the DMZ and have no access back to
anything else), and even if they can't get anywhere else, they can
sure play hell with you by mucking around with your DNS.
--
Brad Knowles, <brad.knowles at skynet.be>
H4sICIFgXzsCA2RtYS1zaWcAPVHLbsMwDDvXX0H0kkvbfxiwVw8FCmzAzqqj1F4dy7CdBfn7
Kc6wmyGRFEnvvxiWQoCvqI7RSWTcfGXQNqCUAnfIU+AT8OZ/GCNjRVlH0bKpguJkxiITZqes
MxwpSucyDJzXxQEUe/ihgXqJXUXwD9ajB6NHonLmNrUSK9nacHQnH097szO74xFXqtlbT3il
wMsBz5cnfCR5cEmci0Rj9u/jqBbPeES1I4PeFBXPUIT1XDSOuutFXylzrQvGyboWstCoQZyP
dxX4dLx0eauFe1x9puhoi0Ao1omEJo+BZ6XLVNaVpWiKekxN0VK2VMpmAy+Bk7ZV4SO+p1L/
uErNRS/qH2iFU+iNOtbcmVt9N16lfF7tLv9FXNj8AiyNcOi1AQAA
More information about the bind-users
mailing list