BIND question

Discussions for news, announcements, and everything else.

Moderator: Moderators

Post Reply
mwdmeyer
Posts: 11
Joined: Fri Nov 19, 2004 4:00 pm
Location: Sydney, Australia
Contact:

BIND question

Post by mwdmeyer »

I've just setup bind 9.2.4 on my freebsd box. The bind service is currently running as root. Is that okay? I looked into running it in a "sandbox" (read the freebsd handbook) but when I tried it I ended up with the old version running (version 8 that is installed with the OS).

My main question is it is a problem running bind as root? What does the roller network do?

Thanks :)
RollerNetSupport
Site Admin
Posts: 598
Joined: Wed Nov 17, 2004 10:05 pm
Location: Nevada
Contact:

Post by RollerNetSupport »

Historically, BIND has had security issues which prompt installations as a non-root user. The BIND 9 series is a rewrite which much better security than its predecessors, but its reputation remains. That said, it's never a bad idea to run major services like DNS in a sandbox or jail to limit impact of an exploited service. It's still possible for someone to break out of one, it's just a bit harder. Running as a non-root user but not creating a jail/sandbox is a quick fix that might only require some file permission changes (named -n).

Right now the Roller Network is running BIND as a non root user, but not within a jail or sandbox. The dameon process that listens for updates also runs as the same user, and since it's Perl it has taint checking enabled. Since BIND has a reputation as being insecure, my feeling is that people will still try to exploit it, regardless of version. So it's probably a good idea to avoid running it as root.
Technical Support support@rollernet.us
Roller Network LLC
mwdmeyer
Posts: 11
Joined: Fri Nov 19, 2004 4:00 pm
Location: Sydney, Australia
Contact:

Post by mwdmeyer »

Thanks for the reply. You know what you're talking about :)

After a bit of reading I got bind working in a sandbox.

I used the information here:
http://www.freebsd.org/doc/en_US.ISO885 ... ED-SANDBOX

I needed to modify it a bit as I compiled my own version of bind 9 (and didn't use the installed version with freebsd).

So hopefully it should be all happy now.

If only I had a static IP address, then I really could host my own DNS :p
Post Reply