[afnog] Chrooted Bind

Stephane Bortzmeyer bortzmeyer at nic.fr
Mon Feb 9 09:43:10 UTC 2009


On Mon, Feb 09, 2009 at 11:12:08AM +0200,
 Grace Ingabire <gingabire at rwandatel.rw> wrote 
 a message of 143 lines which said:

> I read on the net that secure bind in chrooted environment is an
> important security technique but I'm just wondering if it is enough
> secure?

Secure against what? It won't protect you against cache poisoning, for
instance.

And security is not a technique, it is a process. Continually
auditing, checking, upgrading, keeping an eye on new security issues
(such as the recent "NS ." attack), etc.

ns1.rwandatel.rw and ns2 are vulnerable to the "NS ." attack, by the
way. You should read
<https://www.dns-oarc.net/oarc/articles/upward-referrals-considered-harmful>.

> If not can anyone give me some tips on how to secure it.

Also, another question: why BIND? Sure, it is very good software but
there are other name servers which may be better (smaller code
footprint for instance) for security. Before deciding on a technique,
you choose carefully choose your software.

For securing BIND, the absolute reference is
<http://www.cymru.com/Documents/secure-bind-template.html>





More information about the afnog mailing list