Package: bind9 Version: 1:9.10.3.dfsg.P4-12.3 Severity: wishlist BIND named is a great candidate for enabling systemd hardening features, since it has very limited required access to the local file system and a long history of security issues due to its complexity.
I'm currently using the following settings on jessie without any impact, although I'm not using dynamic DNS or a few other things that may make a difference. jessie had much more limited options; there are other options now available in newer systemd, and I didn't start looking at system call filtering. CapabilityBoundingSet=CAP_DAC_OVERRIDE CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID NoNewPrivileges=true PrivateDevices=true PrivateTmp=true ProtectHome=true ProtectSystem=full CAP_DAC_OVERRIDE is required for rndc to read /etc/bind/rndc.key; a possible alternative would be to find a way to run it as the bind user instead. It's possible that you could drop CAP_SETGID and CAP_SETUID and instead let systemd switch to the bind user, and put CAP_NET_BIND_SERVICE into the ambient capability set instead so that it can still bind to a low-numbered port. -- System Information: Debian Release: 9.0 APT prefers unstable APT policy: (990, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.9.0-3-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages bind9 depends on: ii adduser 3.115 ii bind9utils 1:9.10.3.dfsg.P4-12.3 ii debconf [debconf-2.0] 1.5.61 ii init-system-helpers 1.48 ii libbind9-140 1:9.10.3.dfsg.P4-12.3 ii libc6 2.24-11 ii libcap2 1:2.25-1 ii libcomerr2 1.43.4-2 ii libdns162 1:9.10.3.dfsg.P4-12.3 ii libgeoip1 1.6.9-4 ii libgssapi-krb5-2 1.15-1 ii libirs141 1:9.10.3.dfsg.P4-12.3 ii libisc160 1:9.10.3.dfsg.P4-12.3 ii libisccc140 1:9.10.3.dfsg.P4-12.3 ii libisccfg140 1:9.10.3.dfsg.P4-12.3 ii libk5crypto3 1.15-1 ii libkrb5-3 1.15-1 ii liblwres141 1:9.10.3.dfsg.P4-12.3 ii libssl1.0.2 1.0.2l-1 ii libxml2 2.9.4+dfsg1-2.2 ii lsb-base 9.20161125 ii net-tools 1.60+git20161116.90da8a0-1 ii netbase 5.4 bind9 recommends no packages. Versions of packages bind9 suggests: pn bind9-doc <none> ii dnsutils 1:9.10.3.dfsg.P4-12.3 pn resolvconf <none> pn ufw <none> -- debconf information: bind9/start-as-user: bind bind9/different-configuration-file: bind9/run-resolvconf: false
