Re: chroot'ed dns
On Thu, 25 Apr 2002, Anand Buddhdev wrote: > On Wed, Apr 24, 2002 at 11:28:34PM +0100, Bill Crawford wrote: > > > Could I please recommend (from having seen it attempted in commercial > > setting) NOT using djbdns? We saw a lot of problems with it including > > occasional fits where it would stop answering queries altogether. > > Huh? First time I heard of such a claim with djbdns. Can you reproduce > the problem? Did you report the problem or bug to the author? Observing > that "djbdns stopped answering queries" without doing a proper analysis > of the problem isn't fair. I wasn't responsible for installing it, but it was pulled out of production use after a fairly brief, ah, experiment. It worked fine on a test system, but under load became unreliable, with large delays or failure to respond, culminating in catatonia. The guys who tried it out are technically sound, and the test box was similar to the production version. It only happened with a lot of queries. I mentioned it because we did test it, and thought it was great ... until it went on the real server with a real load. However, it may work fine for you with your load. Try it out on one server (I'm presuming you have at least two?) and see what happens. It may be that it's fixed; we didn't really follow up on the problem much (because we considered the experiment a failure). ___ Redhat-list mailing list [EMAIL PROTECTED] https://listman.redhat.com/mailman/listinfo/redhat-list
Re: chroot'ed dns
On Wed, Apr 24, 2002 at 11:28:34PM +0100, Bill Crawford wrote: > Could I please recommend (from having seen it attempted in commercial > setting) NOT using djbdns? We saw a lot of problems with it including > occasional fits where it would stop answering queries altogether. Huh? First time I heard of such a claim with djbdns. Can you reproduce the problem? Did you report the problem or bug to the author? Observing that "djbdns stopped answering queries" without doing a proper analysis of the problem isn't fair. -- Anand Buddhdev Personal site: http://anand.org ___ Redhat-list mailing list [EMAIL PROTECTED] https://listman.redhat.com/mailman/listinfo/redhat-list
Re: chroot'ed dns
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Wednesday 24 April 2002 06:43 pm, daniel wrote: > > BIND named running as a non-root user should be secure enough for > > any use as long as you are careful to disable remote access via rndc, > > deny updates from all but trusted networks yada yada. > > how exactly do you prevent a single program like rndc from being run > from a remote machine while allowing a remote login like ssh? I was about to answer with something along the lines of "If a user logging in via ssh can get root access, you have bigger things to worry about." Then I thought better of it and decided to test this. I'm a little worried about the results: [mfratoni@paradox updates-7.2] $ ssh tuxfan [mfratoni@tuxfan mfratoni]$ id uid=500(mfratoni) gid=500(mfratoni) groups=500(mfratoni) [mfratoni@tuxfan mfratoni]$ /usr/sbin/rndc reload rndc: reload command successful Hrmm, said I. Any user can reload zones? Surely that shouldn't be. [mfratoni@tuxfan mfratoni]$ /usr/sbin/rndc halt rndc: halt command successful Non privileged uses can halt named as well? I wouldn't consider that a desirable feature. The man page seems to imply that only root _should_ be allowed to do this: DESCRIPTION This command allows the system administrator to control the operation of a name server. Very odd. Hopefully, I've just missed something in the config files? - -- - -Michael pgp key: http://www.tuxfan.homeip.net:8080/gpgkey.txt Red Hat Linux 7.2 in 8M of RAM: http://www.rule-project.org/ - -- -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iEYEARECAAYFAjzHROAACgkQn/07WoAb/SuN+QCggClhMHzgUXosr2fQpvV3h6K2 A7cAn11ZYIx75/15b864fNx+S39+U5J2 =fqqB -END PGP SIGNATURE- ___ Redhat-list mailing list [EMAIL PROTECTED] https://listman.redhat.com/mailman/listinfo/redhat-list
Re: chroot'ed dns
> BIND named running as a non-root user should be secure enough for any > use as long as you are careful to disable remote access via rndc, deny > updates from all but trusted networks yada yada. how exactly do you prevent a single program like rndc from being run from a remote machine while allowing a remote login like ssh? ___ Redhat-list mailing list [EMAIL PROTECTED] https://listman.redhat.com/mailman/listinfo/redhat-list
Re: chroot'ed dns
On Tue, 23 Apr 2002, David Talkington wrote: > If you're concerned enough about BIND security to bother with this (and > history suggests that you should be), save yourself all this hassle and > headache and try djbdns: http://cr.yp.to/djbdns.html. Could I please recommend (from having seen it attempted in commercial setting) NOT using djbdns? We saw a lot of problems with it including occasional fits where it would stop answering queries altogether. BIND named running as a non-root user should be secure enough for any use as long as you are careful to disable remote access via rndc, deny updates from all but trusted networks yada yada. ___ Redhat-list mailing list [EMAIL PROTECTED] https://listman.redhat.com/mailman/listinfo/redhat-list
RE: chroot'ed dns
David Talkingtonwrote: - If you're concerned enough about BIND security to bother with this (and history suggests that you should be), save yourself all this hassle and headache and try djbdns: http://cr.yp.to/djbdns.html. - chroot'ing named was pretty easy, however I did read through the djbdns tools site, or well read the first half and browsed the last half. I'm going to stick with named right now... It was a good read and when I have some time I might have to go there.. ___ Redhat-list mailing list [EMAIL PROTECTED] https://listman.redhat.com/mailman/listinfo/redhat-list
RE: chroot'ed dns (SOLVED)
Patrick Nelson wrote: - Found a doc on chroot bind at the LDP. In the doc it states that one must deal with logging and gives a couple of examples on how (http://www.tldp.org/HOWTO/Chroot-BIND-HOWTO-2.html#ss2.5). The main way they suggest says to us the -a switch in the /etc/sysconfig/syslog file like: SYSLOGD_OPTIONS="-m 0 -a /mejail/named/dev/log" I was just finishing the process when I started to think about it (oh boy). What does this do? The man page of syslogd says that it adds an additional socket that syslog has to listen to. Does this mean that the output to the syslog'er will go to the same /var/log logs? Maybe this is simply a matter of doing it and seeing. Just thought I'd maker sure prior to putting my dns in jail... - Yes the output does go to the regular log files. Followed the how-to and aside from having to chown -R named:named the entire named chroot dir to get it working, it was pretty easy. Oh did have to edit init.d/named because it checked to see if /etc/named.conf was there, which in my case I renamed it to make sure that the right one was being loaded, so I just had it point to the new one. ___ Redhat-list mailing list [EMAIL PROTECTED] https://listman.redhat.com/mailman/listinfo/redhat-list
Re: chroot'ed dns
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Patrick Nelson wrote: > SYSLOGD_OPTIONS="-m 0 -a /mejail/named/dev/log" >I was just finishing the process when I started to think about it (oh boy). >What does this do? The man page of syslogd says that it adds an additional >socket that syslog has to listen to. Does this mean that the output to the >syslog'er will go to the same /var/log logs? Maybe this is simply a matter >of doing it and seeing. Just thought I'd maker sure prior to putting my dns >in jail... If you're concerned enough about BIND security to bother with this (and history suggests that you should be), save yourself all this hassle and headache and try djbdns: http://cr.yp.to/djbdns.html. - -d - -- David Talkington PGP key: http://www.prairienet.org/~dtalk/0xCA4C11AD.pgp -BEGIN PGP SIGNATURE- Version: PGP 6.5.8 Comment: Made with pgp4pine 1.75-6 iQA/AwUBPMYA0L9BpdPKTBGtEQJAoQCdHNgzD07L6i7x9LVe6OxOp9/89UYAoMSV +kVytFhU1pCStnY+aGQea4mO =MrGH -END PGP SIGNATURE- ___ Redhat-list mailing list [EMAIL PROTECTED] https://listman.redhat.com/mailman/listinfo/redhat-list
