From owner-freebsd-security Thu Jun 4 13:22:51 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id NAA27425 for freebsd-security-outgoing; Thu, 4 Jun 1998 13:22:51 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from verdi.nethelp.no (verdi.nethelp.no [158.36.41.162]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id NAA27321 for ; Thu, 4 Jun 1998 13:22:28 -0700 (PDT) (envelope-from sthaug@nethelp.no) From: sthaug@nethelp.no Received: (qmail 20256 invoked by uid 1001); 4 Jun 1998 20:22:24 +0000 (GMT) To: crowland@psionic.com Cc: roberto@keltia.freenix.fr, freebsd-security@FreeBSD.ORG Subject: Re: /usr/sbin/named In-Reply-To: Your message of "Mon, 1 Jun 1998 09:58:26 -0400 (EDT)" References: X-Mailer: Mew version 1.05+ on Emacs 19.34.2 Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Date: Thu, 04 Jun 1998 22:22:24 +0200 Message-ID: <20254.896991744@verdi.nethelp.no> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > Version 8.x has several new options that allow securing BIND more > reasonably: > > -t - chroot() directory > -u - UID to run under after bind() > -g - GID to run under after bind() > > I have a web page up that describes how to run BIND 8.x under a chroot() > environment under OpenBSD 2.x. A lot of the information should apply to > FreeBSD as well. Here is the URL: > > http://www.psionic.com/papers/dns.html Note that you may want to correct Step Seven on your Web page. Advising people to block TCP access to port 53 is *not* a good idea, for the following reasons: - Normal DNS queries using TCP are perfectly legitimate. - The spec states that if an answer is truncated (TC bit set), the query *should* be retried using TCP instead of UDP. Steinar Haug, Nethelp consulting, sthaug@nethelp.no To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message