On Tue, Sep 02, 2003 at 09:55:41PM -0400, Jason Dixon wrote: > On Tue, 2003-09-02 at 21:44, NfoCipher wrote: > > On Tue, 2003-09-02 at 20:18, Marc Adler wrote: > > > > > I will, but I don't understand why running your own name server is bad. > > It's not bad if you're behind a firewall of some sort. Mostly a matter > > of opinion. The only time you need to secure a dns server is if your > > port 53 tcp is open to the world. So you're gonna have the crowd that > > will say, don't run it unless you just need to, and the other side that > > says, it's there, it's useful, why not use it.
I'm in the crowd that says that you do not run *any* service unless you need it. If you don't need it, turn it off. If you don't need the package, remove it. The less things on the system and the less running, the better. We don't need, or want, another IIS with a gazillion open services just waiting to be exploited. I run my own name server at home, but then I need it. I also do not have port 53 open through my firewall. External hosts use an external nameserver. Internal hosts use my internal nameserver. The downside of running servers on a dynamic IP address... > Wrong. DNS uses 53/tcp for zone transfers, 53/udp for normal queries. > Just because you filter against TCP doesn't mean a future remote exploit > against the resolution libraries couldn't endanger your box. This is true for every service. If you don't need it, turn it off. I vote with Jason on this one, although he could have said it a bit more diplomatically :-). -- Ed Wilts, Mounds View, MN, USA mailto:[EMAIL PROTECTED] Member #1, Red Hat Community Ambassador Program -- redhat-list mailing list unsubscribe mailto:[EMAIL PROTECTED] https://www.redhat.com/mailman/listinfo/redhat-list
