On 10/21/2011 09:17 PM, Randy McMurchy wrote: > On 10/21/2011 7:20 PM, luxInteg wrote: >> I would thus be grateful to >> know from anyone on list experienced with kerberos and bind what are the >> security implications of running dns on a kdc. > > I have done exactly what you are looking to do. I feel that as long > as you set up Kerberos properly (I've always used Heimdal), there > should be no problem creating a DNS server on the same machine. > > Bruce is a good authority on Bind and DNS (as is DJ), and either of > them could provide additional helpful information. But from the > Kerberos side of things, just ensure that the installation is set > up properly (permissions on the database directory and the /etc > files). >
Yes, bind runs locally on my authentication server, in a chroot jail as per the installation and configuration instructions in BLFS. That said, chroot is not an end all be all of security as Randy mentioned above. The more services you have on a box, the more vulnerable you are plain and simple. If for nothing else, it gives more potential for exploits and even simple denial of service attacks. That said, I know that risk exists and personally I do take that (minimal IMO) risk for the example you have posted. Of course, everything is locked down to the outside world, even internally my routing and network division probably stinks of insanity by most people's standards. OT: After watching the long BackTrack Linux demo (highly recommended if you've never studied security as it gives a nice overview of penetration testing without getting super complex - and even if you have studied, it is fun to watch the simplicity of it), I've added even more firewall rules to further isolate my VLANs. :-) -- DJ Lucas -- http://linuxfromscratch.org/mailman/listinfo/blfs-support FAQ: http://www.linuxfromscratch.org/blfs/faq.html Unsubscribe: See the above information page