I don't want to get into a flamewar on whats the best DNS package to use, but because of this recent vulnerability I decided to re-evaluate my BIND setup, spent a couple hours researching, testing and cleaning it up to make it more secure. A good document I found that helped me was this:
http://www.acmebw.com/resources/papers/securing.pdf (or for google's html version which is what I used): http://216.239.51.100/search?q=cache:Lpi8rotBC_0C:www.acmebw.com/resources/papers/securing.pdf+recursion+bind+8&hl=en&ie=UTF-8 some other tips for making your BIND more secure: - run in chroot (-t option) - run as non root uid(-u/-g option) - setup strict acls for zone transfers & queries - use a remote syslog server and log everything to syslog - blocking TCP/53 inbound seems to reduce exposure for the recent vulns, according to the ISS advisory. I hope to get the time to write a doc myself about securing bind, so many things to do and so little time! hard to imagine i still seem to have almost no time even though i don't have a job anymore! damn this clock! moves too fast. of course you can always ditch bind, which is probably a good idea for people who do not have the time or ability to keep up to date on the latest reports. For me, I plan to use it for the forseeable future. together with a syslog server, IDS, NIDS, firewall, acls and more I believe the risk(for me) is acceptable. nate -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]