On Sun, 30 Dec 2001 11:18, Petre Daniel wrote: > Well,i know Karsten's on my back and all,but i have not much time to > learn,and too many things to do at my firm,so i am asking if one of you has > any idea how can bind be protected against that DoS attack and if someone > has some good firewall for a dns server ( that resolves names for internal > clients and also keeps some .ro domains) please post it to the list.. both > ipchains and iptables variants are welcome.. > thank you.
Which DOS attack are you referring to? For making bind secure I suggest running it as non-root using authbind and build your kernel with OpenWall, LSM, or GRSecurity so that stack overflows don't get anywhere. Then have a script to restart it if it dies. Also don't allow recursion from outside machines. Another possibility is to have the port for outgoing connections be something other than 53 (54 seems unused) and use iptables or ipchains to block data from the outside world coming to port 53. -- http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/projects.html Projects I am working on http://www.coker.com.au/~russell/ My home page
