[H-GEN] named on RedHat 7.x

Bruce Campbell bc at humbug.org.au
Fri Aug 9 03:24:01 EDT 2002 

[ Humbug *General* list - semi-serious discussions about Humbug and     ]
[ Unix-related topics. Posts from non-subscribed addresses will vanish. ]

On Thu, 8 Aug 2002, Robert Brockway wrote:

> On Thu, 8 Aug 2002, Ewan Edwards wrote:
>
> > A colleague of mine has recently setup DNS on a RedHat box at home and
> > has asked why the default setup seems to have 5 instances of named running
>
> Normally a few copies are pre-forked to improve performance for remote

( Note, this depends on the specific version and configuration of BIND )

> > I assume that if there is no good reason to maintain 5 instances, the next
> > question will be asking how to configure it to run, say, only one instance.
>
> Unless he is managing a domain or needing a local caching dns server there
> is no need to run _any_ copies of named.  If he is needing named I'd leave

Unfortunately, or fortunately, with any computer connected to a
moderate-size network, there is a need for a local DNS cache.  We've
recently had a design decision of one of my predessors bite us quite
spectacularly when our main DNS caching nameserver was down for an
extended period, and the company stopped for that period.

So, all of our machines now happily run a local nameserver.

> You seem to have many dns servers running :)  It is best to avoid running
> daemons when they are un-needed.  They bind to a port and theoretically
> can be exploitable.

It is true that all nameserver software sucks in one way or another,
whether by being exploitable, not adhering to standards, having
non-intuitive configuration interfaces (or none), not relinquishing
priviledges appropriately, or combinations thereof.

However, a lot of the possible damage can be mitigated by ensuring that
it:

	*) Runs as a seperate user once it has bound to the port.
	*) Runs in its own little chroot(8) or jail(8) environment.
	*) Is carefully limited in what it will do.

For DNS caching nameservers inside your firewall, they don't need to be
queryable from the outside.

--==--
Bruce.


--
* This is list (humbug) general handled by majordomo at lists.humbug.org.au .
* Postings to this list are only accepted from subscribed addresses of
* lists 'general' or 'general-post'.  See http://www.humbug.org.au/

More information about the General mailing list