Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I'm wondering excactly how secure dns is. Someone once told me: "Yea well, unfortunately dns is inherently insecure by design". I would like to know why this is, if anyone can help me.
Also, I now have to choose between setting up djbdns and bind. I already know how the bind configs work (and I don't like it all that much but I guess that is just the way it is).
I saw some of the new configuration options - decided it's more familiar and seemingly they implemented a few new security features. Hope they are good. And if not, I've set up a cron job to run apt-get update/upgrade once a day so it'll patch as soon as security patches are released (which it usually is within a day or two).
I'm not sure how you would apply patches, but I always prefer clean install (it's not much slower anyway). I think that all bind 9+ versions aren't really exploitable, and if they are they work as non root
Ive gone with BIND. After reading both in depth and seeing what exactly djbdns does... I decided to go with BIND instead.
Ive setup two BIND 9 servers, one is referred to as the primary, but only in the sense that its the only machine I have to touch when I do any sort of dns change or update.
I made my own backend ssh secure mirroring setup with zone files and zone records between the primary and secondary. I didnt like the way bind handled zone transfers AT ALL ... and with my firewall setup, it was bein pissy as well.
Right now, I have two fully running dns machines for all domains we own and client authority. And they are working quite well!
One is on a YDL2.1 OS, and the other is RH73. Both are the exact same BIND version as well.
With some scripts Ihave, and dynamic zone creation I do ... BIND seemed MUCH more easier to control in the backend than that 'thing' djbdns. djbdns doesnt seem to follow any standards I can see. Even making up zone entries looks overly complex for what it truly is. And the many command line utilties and many other pieces of 'the guys software' you gotta install as well... guh. I decided to go with the all in one install of BIND.
As a security precaution, I even have both BIND servers running chrooted into a secured folder only the user has access too.
Well, just as an aside, 'the guys software' is some of the best, most stable I've seen in some time. Take qmail for instance, ucspi-tcp, daemontools. I use them all, the whole time. So just be carefull - it may just be his dns server that is not very good.
What did you mean with "I didnt like the way bind handled zone transfers AT ALL ... and with my firewall setup, it was bein pissy as well".
As you seem to know bind quite well, i have a question for u :
how can I set up a DDNS ?
i'm talking about configuring named.conf and finding a SIMPLE
DDNS client !
i give a few precisions :
_ i have a redhat 7.3 with bind 9
_ i have a DNS accessible on the net
_ i want a remote client = an apache server (using DHCP for network configuration ) with a public IP to make update on my DNS
I've already tried to use "dhis" solutions (if you don't know : www.dhis.org ), it seems to me it was unpossible to run with bind 9....
In addition, I don't want a program that would be installed on the DHCP server ( i have no access to this DHCP server).
I don't want to use dyndns or something like that !
Do I usderstand you correctly when I state you would like to have some kind of dynamic DNS, but you do not want to install a special program on the dns server?
If you were willing to to that it probably would have been a simple job of finding a program that'll take messages from client machines when they boot up (these would send a message to the DNS server just after they received their ip from the DHCP server stating their dns name and their ip) which will then update the config files for bind and restart bind (well, reload at least). I'm not aware of any such packages though.
If DHCP is configured on MAC addresses though you can be sure that the same machine will *always* receive the same ip. And then there will probably be no need for DDNS. But somehow I get the feeling this is not the case ...
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.