[afnog] Chrooted Bind

[SM]

Hi Grace,
At 01:12 09-02-2009, Grace Ingabire wrote:
>I have installed a chrooted bind 9.2 on centos 4 and would like to 
>ask your views about it.
>I read on the net  that secure bind in chrooted environment is an 
>important security technique but I'm just wondering if it is enough secure?
>If not can anyone give me some tips on how to secure it.

Bernard already explained why the chroot environment is 
recommended.  For your name server to be secure, make sure that it 
has also the updates and patches to address the latest vulnerabilities.

The second part of security is about operational issues.  For 
example, your nameserver should be configured so that it a source for 
DNS amplification attacks.  Separate the authoritative and recursive 
functions of your name server (RFC 5358).  If your customers are 
using the name server for name resolution, configure the (recursive) 
nameserver to allow queries from your network block only.

As Stephane mentioned, the Cymru secure bind template is a good 
reference.  Read the comments in the file as it explains why each 
option is used.  Then see how it applies to your needs and to your 
network environment.

I haven't covered all the security aspects as it is a vast 
topic.  The above should get you started.

Regards,
-sm