Subject: Re: problem getting BIND 9.3.1 to start
To: None <robert@kormar.net>
From: Steven M. Bellovin <smb@cs.columbia.edu>
List: netbsd-users
Date: 08/04/2005 19:28:40
In message <CCEEKBJEKKLABGFGILIKGEKFDJAA.robert@kormar.net>, "Robert Cates" wri
tes:
>Thanks Adrian, and Justin Newcomer!  I've got BIND up and running, in
>chroot.  But now I have a couple of follow-up questions:
>
>1. At the end of the build/install I saw the message suggesting running Bind
>in the chroot environment for security reasons.  Apparently you're setup
>this way, but would you recommend it, really, especially if the server's
>behind a firewall?
>

Yes, absolutely; the firewall is almost irrelevant. 

The biggest threat to bind -- of any version -- is bugs in its handling 
of DNS traffic.  More or less by definition, the firewall has to be 
configured to permit such traffic through to the name server, so it 
provides no protection.

There is one minor exception: attacks coming in on the omapi interface. 
A firewall could indeed shield that.  I still prefer to run it chrooted.

		--Steven M. Bellovin, http://www.cs.columbia.edu/~smb