l�r, 2002-06-08 kl. 11:58 skrev Nick Drage: > > It depends what you want to do with it. And what DNS software you're > > running. I.e., if it's BIND, you can do more with BIND 9 than you can > > with BIND 8, more with BIND 8 than with BIND4.
> > Many security people might say that if you're running BIND 4 or 8, then > > you shouldn't be. Some of them again might say that you should be > > running BIND 9.2. > I believe that the latest BIND 8.something is still OK, and version 8 is > being maintained as far as security patches go. Yes, but as I wrote: You can do more with BIND 9 than with BIND 8. > As for the rest of the thread, you're best restricting that kind of access > using named.conf as the problem is at layer 7 - the BIND application, not > layer 3 - where netfilter mostly lives. Again yes, but if you have a blanket DROP policy, you're going to have to open up ports, aren't you? The question is, what ports and for which protocols and using what policies and what tools that iptables places at your disposition? Have a look at hping2 (and most probably other tools and craftsmanship, but hping2 is my favorite of all favorites) and see what nasty things you can do with it, if you want to, and then have a look at what you can drop with Netfilter, that BIND simply isn't capable of. Best, Tony -- Tony Earnshaw e-post: [EMAIL PROTECTED] www: http://www.billy.demon.nl gpg public key: http://www.billy.demon.nl/tonni.armor Telefoon: (+31) (0)172 530428 Mobiel: (+31) (0)6 51153356 GPG Fingerprint = 3924 6BF8 A755 DE1A 4AD6 FA2B F7D7 6051 3BE7 B981 3BE7B981
signature.asc
Description: Dette er en digitalt signert meldingsdel
