[ale] Masquerading and DNS

Jim Popovitch jimpop at yahoo.com
Wed Oct 3 17:14:55 EDT 2001


Instead of letting named run all over the place, just bind it to the
internal segment only.  Something like this in your options section
should work:

  listen-on { 192.168.1.0; 127.0.0.1; };

-Jim P.

--- Transam <transam at cavu.com> wrote:
> > I would setup named as a caching name server only.  Then you can
> use dig to
> > update the database of upstream servers every day.  You never use
> the ISP's
> > DNS server.  The caching may speed thing up a bit as well
> 
> If you use DNS on your firewall then be sure to use named's -u and -g
> flags
> to cause it to switch to another user than root once it opens ports
> 53
> (UDP and TCP).  You also might want to set up your IP Chains/Tables
> rules
> to allow 53 through your external interface ONLY to your ISP's name
> servers.
> 
> This will reduce the likelihood of a cracker being able to attack and
> to
> minimize the consequences if he does.  Create a separate user and
> group,
> e.g. "named", to use.  Don't use "apache" or "nobody" as these should
> be
> used only for Apache and NFS, respectively.
> 
> Named is one of the likeliest vulnerabilities of Linux.  Be sure
> yours
> is up-to-date, of course.
> 
> I deliberately do not run a caching name server on my systems to
> avoid this
> whole headache.
> 
> Bob Toxen
> transam at cavu.com                       [Bob's ALE Bulk email]
> bob at cavu.com                           [Please use for email to me]
> http://www.cavu.com
> http://www.realworldlinuxsecurity.com/ [My 5* book:"Real World Linux
> Security"]
> http://www.cavu.com/sunset.html        [Sunset Computer]
> Fly-By-Day Consulting, Inc.      "Don't go with a fly-by-night
> outfit!"
> Quality Linux & UNIX security and SysAdmin & software consulting
> since 1990.


__________________________________________________
Do You Yahoo!?
NEW from Yahoo! GeoCities - quick and easy web site hosting, just $8.95/month.
http://geocities.yahoo.com/ps/info1





More information about the Ale mailing list