BIND question

Discussions for news, announcements, and everything else Rollernet.

Moderator: Moderators

BIND question

Postby mwdmeyer » Thu Jan 27, 2005 3:54 am

I've just setup bind 9.2.4 on my freebsd box. The bind service is currently running as root. Is that okay? I looked into running it in a "sandbox" (read the freebsd handbook) but when I tried it I ended up with the old version running (version 8 that is installed with the OS).

My main question is it is a problem running bind as root? What does the roller network do?

Thanks :)
mwdmeyer
 
Posts: 11
Joined: Fri Nov 19, 2004 5:00 pm
Location: Sydney, Australia

Postby RollerNetSupport » Fri Jan 28, 2005 12:53 am

Historically, BIND has had security issues which prompt installations as a non-root user. The BIND 9 series is a rewrite which much better security than its predecessors, but its reputation remains. That said, it's never a bad idea to run major services like DNS in a sandbox or jail to limit impact of an exploited service. It's still possible for someone to break out of one, it's just a bit harder. Running as a non-root user but not creating a jail/sandbox is a quick fix that might only require some file permission changes (named -n).

Right now the Roller Network is running BIND as a non root user, but not within a jail or sandbox. The dameon process that listens for updates also runs as the same user, and since it's Perl it has taint checking enabled. Since BIND has a reputation as being insecure, my feeling is that people will still try to exploit it, regardless of version. So it's probably a good idea to avoid running it as root.
Technical Support support@rollernet.us
Roller Network LLC
RollerNetSupport
Site Admin
 
Posts: 850
Joined: Wed Nov 17, 2004 11:05 pm
Location: Nevada

Postby mwdmeyer » Fri Jan 28, 2005 4:21 am

Thanks for the reply. You know what you're talking about :)

After a bit of reading I got bind working in a sandbox.

I used the information here:
http://www.freebsd.org/doc/en_US.ISO885 ... ED-SANDBOX

I needed to modify it a bit as I compiled my own version of bind 9 (and didn't use the installed version with freebsd).

So hopefully it should be all happy now.

If only I had a static IP address, then I really could host my own DNS :p
mwdmeyer
 
Posts: 11
Joined: Fri Nov 19, 2004 5:00 pm
Location: Sydney, Australia


Return to General Discussion

Who is online

Users browsing this forum: No registered users and 1 guest

cron