Marc Heuse wrote:
| I found so far two possiblities to solve this problem ...
| The first is to chroot named. pointer : www.homeport.org/~adam/dns.html
| The second is to just forward the dns resolving to a host in the dmz plus
| running also the primary external dns there.
| Do you see any problems with these suggestions?
| And another question, are there any secure/minimal dns-servers out there?
Since I wrote the chrooting a named doc, I'll remind everyone that a
root process chrooted is not all that great an imrpovement in the
theoretical analysis. Its a nice improvement in practicality, since
there is no egg* to overflow and break a chroot. Thus, if you don't
put CHROOT/bin/sh in place, the standard attacks will fail, but a
smart attacker can still get in. In practicality, there are few smart
*An egg is the core of code that a biuffer overflow includes to do the
real work. Its the thing that hatches and gets you root. See some
early l0pht advisory. And make that "no egg generally available."
"It is seldom that liberty of any kind is lost all at once."