1 |
On 06/16/2014 03:57 PM, James wrote: |
2 |
> |
3 |
>> There's a video of DJB at the 27c3 conference floating around where he |
4 |
>> discusses some of this stuff. Some of his points shouldn't be taken |
5 |
>> seriously, but it's entertaining nevertheless. |
6 |
> |
7 |
> I thought DJB was mostly deprecated. He's still preaching dns security, |
8 |
> yet does not update his offernings? Interestingly strange. |
9 |
> |
10 |
|
11 |
He's a security researcher, not a system administrator. Most of his |
12 |
software is in the public domain if someone wants to maintain it. And |
13 |
while it's getting long in the tooth, e.g. djbdns still has one of the |
14 |
best track records for security -- you just won't get any new features. |
15 |
|
16 |
|
17 |
> Sven is great. So just the generic hardened remedies, nothing |
18 |
> special to DNS servers or services, from my quick parse of his |
19 |
> documents on hardened? |
20 |
|
21 |
Nothing specific to DNS, no. |
22 |
|
23 |
|
24 |
> Sven's also into "selinux". I see no selinux policies |
25 |
> or rules. Maybe I should drop him a line about selinux related to |
26 |
> dns primary servers? Surely a selinux policy for a primary only |
27 |
> selinux dns server would been keen? Not needed ? Overkill ? |
28 |
> I was going to read up a bit, before asking him questions I should |
29 |
> have discovered from robust research on the subject...... |
30 |
|
31 |
I personally don't use SELinux, so my opinion is "overkill." But that |
32 |
opinion is highly colored by a lazy reluctance to learn how it works. |
33 |
|
34 |
|
35 |
> |
36 |
> Ah, you've added to this iptables listing: |
37 |
> |
38 |
> http://wiki.gentoo.org/wiki/BIND/Tutorial |
39 |
> |
40 |
|
41 |
No! There's a dangerous mistake on that page that I've just fixed. This |
42 |
line, |
43 |
|
44 |
iptables -A INPUT -p tcp --sport 53 -j ACCEPT |
45 |
|
46 |
puts a big hole in your firewall for anyone smart enough to attack you |
47 |
from port 53. |