09 Jun 2002 09:40:41 +0200
Content-Type: text/plain; charset=ISO-8859-1
l=F8r, 2002-06-08 kl. 11:58 skrev Nick Drage:
> > It depends what you want to do with it. And what DNS software you're
> > running. I.e., if it's BIND, you can do more with BIND 9 than you can
> > with BIND 8, more with BIND 8 than with BIND4.
> > Many security people might say that if you're running BIND 4 or 8, then
> > you shouldn't be. Some of them again might say that you should be
> > running BIND 9.2.
> I believe that the latest BIND 8.something is still OK, and version 8 is
> being maintained as far as security patches go.
Yes, but as I wrote: You can do more with BIND 9 than with BIND 8.
> As for the rest of the thread, you're best restricting that kind of acces=
> using named.conf as the problem is at layer 7 - the BIND application, not
> layer 3 - where netfilter mostly lives.
Again yes, but if you have a blanket DROP policy, you're going to have
to open up ports, aren't you? The question is, what ports and for which
protocols and using what policies and what tools that iptables places at
Have a look at hping2 (and most probably other tools and craftsmanship,
but hping2 is my favorite of all favorites) and see what nasty things
you can do with it, if you want to, and then have a look at what you can
drop with Netfilter, that BIND simply isn't capable of.
gpg public key: http://www.billy.demon.nl/tonni.armor
Telefoon: (+31) (0)172 530428
Mobiel: (+31) (0)6 51153356
GPG Fingerprint =3D 3924 6BF8 A755 DE1A 4AD6 FA2B F7D7 6051 3BE7 B981
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: Dette er en digitalt signert meldingsdel
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
-----END PGP SIGNATURE-----