Marc Heuse wrote:
| I found so far two possiblities to solve this problem ...
| The first is to chroot named. pointer : www.homeport.org/~adam/dns.html
| The second is to just forward the dns resolving to a host in the dmz plus
| running also the primary external dns there.
|
| Do you see any problems with these suggestions?
| And another question, are there any secure/minimal dns-servers out there?
| pointers?
Since I wrote the chrooting a named doc, I'll remind everyone that a
root process chrooted is not all that great an imrpovement in the
theoretical analysis. Its a nice improvement in practicality, since
there is no egg* to overflow and break a chroot. Thus, if you don't
put CHROOT/bin/sh in place, the standard attacks will fail, but a
smart attacker can still get in. In practicality, there are few smart
attackers.
Adam
*An egg is the core of code that a biuffer overflow includes to do the
real work. Its the thing that hatches and gets you root. See some
early l0pht advisory. And make that "no egg generally available."
--
"It is seldom that liberty of any kind is lost all at once."
-Hume
Follow-Ups:
References:
|
|
