[ale] Masquerading and DNS

Transam transam at cavu.com
Wed Oct 3 15:38:30 EDT 2001

> I would setup named as a caching name server only.  Then you can use dig to
> update the database of upstream servers every day.  You never use the ISP's
> DNS server.  The caching may speed thing up a bit as well

If you use DNS on your firewall then be sure to use named's -u and -g flags
to cause it to switch to another user than root once it opens ports 53
(UDP and TCP).  You also might want to set up your IP Chains/Tables rules
to allow 53 through your external interface ONLY to your ISP's name servers.

This will reduce the likelihood of a cracker being able to attack and to
minimize the consequences if he does.  Create a separate user and group,
e.g. "named", to use.  Don't use "apache" or "nobody" as these should be
used only for Apache and NFS, respectively.

Named is one of the likeliest vulnerabilities of Linux.  Be sure yours
is up-to-date, of course.

I deliberately do not run a caching name server on my systems to avoid this
whole headache.

Bob Toxen
transam at cavu.com                       [Bob's ALE Bulk email]
bob at cavu.com                           [Please use for email to me]
http://www.realworldlinuxsecurity.com/ [My 5* book:"Real World Linux Security"]
http://www.cavu.com/sunset.html        [Sunset Computer]
Fly-By-Day Consulting, Inc.      "Don't go with a fly-by-night outfit!"
Quality Linux & UNIX security and SysAdmin & software consulting since 1990.

More information about the Ale mailing list