[H-GEN] Stopping nameserver lookup for local subnet
David Jericho
davidj at webmatchit.com.au
Wed Feb 14 18:45:19 EST 2001
[ Humbug *General* list - semi-serious discussions about Humbug and ]
[ Unix-related topics. Please observe the list's charter. ]
[ Worthwhile understanding: http://www.humbug.org.au/netiquette.html ]
On Wed, Feb 14, 2001 at 07:48:12PM +1000, staeci at yahoo.com wrote:
> I'd disagree about running a DNS server if you don't *actually need*
> it. One less service which can be compromised is a good thing.
Well, a simple list of things you need to do, all are quite basic.
1) Chroot it. Chrooting BIND takes a whole of 5 minutes, and it minimizes the
effect of an intrusion. Having said that, a talented person can often
escape a chroot by some means.
2) Set the listening ip to be the LAN side of your gateway.
3) Don't allow packets to be routed through from the outside in.
4) Keep ontop of BIND updates. You do that with the rest of your software, no?
Plus, you'll probably find that your data is 0wnz'ed by an OutLook client ;)
--
David Jericho, Systems Administrator
WebMatchIT Interactive Marketing
--
* This is list (humbug) general handled by majordomo at lists.humbug.org.au .
* Postings to this list are only accepted from subscribed addresses of
* lists 'general' or 'general-post'.
More information about the General
mailing list