On Thu, Sep 03, 2015 at 11:02:23PM +0200, Reindl Harald wrote: > Am 03.09.2015 um 22:59 schrieb Robert Moskowitz: > >On 09/03/2015 04:35 PM, Leandro wrote: > >>Ok ... > >>I got BIND 9.10.2-P3 working. > >>I compiled with > >> > >>./configure --with-openssl --enable-threads --with-libxml2 > >>--with-libjson > >>make > >>make install > >> > >>Json statistics channel is working and chroot is not longer > >>mandatory. > > > >But do make sure you have selinux enforced. Or run behind > >multiple firewalls... > > behind *multiple firewalls* - ?!?! - oh come on and get serious > instead promote snakeoil -
I quite agree here. Firewalls that attempt to filter DNS have terrible reputations for *breaking* DNS. A single firewall is bad enough; multiple firewalls sounds like a disaster. > typically BIND is *not* running as root and hence does not need > any special handling compared to any other network service I don't know if we can say what is "typical". We can say, for running on Linux at least, that running as root is safe. A compromised named would get root after having dropped superuser privileges, so it wouldn't be able to do much. Regardless, again I quite agree that special handling is not necessary. Look at the various BIND9 security announcements over the years. When have you seen one which involved a compromise of any kind? I cannot say with authority that BIND9 has never had a compromise, but I am confident in saying I have never seen one. https://www.isc.org/blogs/summer_security_vulnerabilities/ is a recent blog posting which discusses this in detail. > get rid of the horror stories from the 1990's.............. -- http://rob0.nodns4.us/ Offlist GMX mail is seen only if "/dev/rob0" is in the Subject: _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
