| 1 |
On 06/16/2014 03:57 PM, James wrote: |
| 2 |
> |
| 3 |
>> There's a video of DJB at the 27c3 conference floating around where he |
| 4 |
>> discusses some of this stuff. Some of his points shouldn't be taken |
| 5 |
>> seriously, but it's entertaining nevertheless. |
| 6 |
> |
| 7 |
> I thought DJB was mostly deprecated. He's still preaching dns security, |
| 8 |
> yet does not update his offernings? Interestingly strange. |
| 9 |
> |
| 10 |
|
| 11 |
He's a security researcher, not a system administrator. Most of his |
| 12 |
software is in the public domain if someone wants to maintain it. And |
| 13 |
while it's getting long in the tooth, e.g. djbdns still has one of the |
| 14 |
best track records for security -- you just won't get any new features. |
| 15 |
|
| 16 |
|
| 17 |
> Sven is great. So just the generic hardened remedies, nothing |
| 18 |
> special to DNS servers or services, from my quick parse of his |
| 19 |
> documents on hardened? |
| 20 |
|
| 21 |
Nothing specific to DNS, no. |
| 22 |
|
| 23 |
|
| 24 |
> Sven's also into "selinux". I see no selinux policies |
| 25 |
> or rules. Maybe I should drop him a line about selinux related to |
| 26 |
> dns primary servers? Surely a selinux policy for a primary only |
| 27 |
> selinux dns server would been keen? Not needed ? Overkill ? |
| 28 |
> I was going to read up a bit, before asking him questions I should |
| 29 |
> have discovered from robust research on the subject...... |
| 30 |
|
| 31 |
I personally don't use SELinux, so my opinion is "overkill." But that |
| 32 |
opinion is highly colored by a lazy reluctance to learn how it works. |
| 33 |
|
| 34 |
|
| 35 |
> |
| 36 |
> Ah, you've added to this iptables listing: |
| 37 |
> |
| 38 |
> http://wiki.gentoo.org/wiki/BIND/Tutorial |
| 39 |
> |
| 40 |
|
| 41 |
No! There's a dangerous mistake on that page that I've just fixed. This |
| 42 |
line, |
| 43 |
|
| 44 |
iptables -A INPUT -p tcp --sport 53 -j ACCEPT |
| 45 |
|
| 46 |
puts a big hole in your firewall for anyone smart enough to attack you |
| 47 |
from port 53. |
Archives