> On Wed, 2003-09-03 at 10:26, Benjamin J. Weiss wrote: > > > However, the local caching nameserver could be an appropriate solution > > > iff the ISP is continuously negligent of DNS service problems and Marc > > > invests the time to learn how to properly secure such a service. > > > > As a person who is standing up a linux DNS (yes, it's necessary), I just > > want to double check: The only three ways that *I* know of to secure DNS is > > (1) to ensure that I'm running the latest version from RedHat via up2date, > > (2) to have it run as the 'named' user instead of as root, and (3) to chroot > > jail the process. > > > > Am I missing anything here? > > (4) Don't run Bind DNS. djbdns is a very secure alternative from D.J. > Bernstein, the same guy that brought us qmail. > (5) Other OS-tightening methods that aren't DNS-specific and too > numerous to mention here.
Well, on (4), I'm gonna stick with bind. I know that it's not as secure, but redhat supports it, which makes it easier for me to keep current on updates. Also, since I'm not the one who's going to maintain the tables, and our network admin is better with the gui that redhat provides than he is with the files...you get the idea. On (5), I've done all that. Un-installed unused services, blocked all ports not intended to serve outside customers, etc. I keep up to date on all the patches, etc. I was just looking for other ways to secure bind. I guess I'm doing okay, then. :) Ben -- redhat-list mailing list unsubscribe mailto:[EMAIL PROTECTED] https://www.redhat.com/mailman/listinfo/redhat-list
