Securing-Optimizing-RH-Linux-1_2_236
Comments and suggestions concerning this book should be mailed to gmourani@videotron.ca
© Copyright 1999-2000 Gerhard Mourani and Open Network Architecture ®
236
status)
/usr/sbin/ndc status
exit $?
;;
restart)
$0 stop
$0 start
;;
reload)
/usr/sbin/ndc reload
exit $?
;;
probe)
# named knows how to reload intelligently; we don't want linuxconf
# to offer to restart every time
/usr/sbin/ndc reload >/dev/null 2>&1 || echo start
exit 0
;;
*)
echo "Usage: named {start|stop|status|restart}"
exit 1
esac
exit $RETVAL
Now, make this script executable and change its default permission:
[root@deep]# chmod 700 /etc/rc.d/init.d/named
Create the symbolic rc.d links for BIND/DNS with the command:
[root@deep]# chkconfig --add named
BIND/DNS script will not start automatically the daemon named when you reboot the server. You
can change it default by executing the following command:
[root@deep]# chkconfig --level 345 named on
Start your DNS Server manually with the following command:
[root@deep]# /etc/rc.d/init.d/named start
Starting named: [ OK ]
Securing BIND/DNS
Running BIND/DNS in a chroot jail
This part focuses on preventing BIND/DNS from being used as a point of break-in to the system
hosting it. Since BIND/DNS performs a relatively large and complex function, the potential for
bugs that affect security is rather high on this software. In fact, there have been exploitable bugs
in the pass that allowed a remote attacker to obtain root access to hosts running BIND/DNS.
To minimize this risk, BIND/DNS can be run as a non-root user, which will limit any damage to
what can be done as a normal user with a local shell. Of course, this is not enough for the
security requirements of most DNS servers, so an additional step can be taken - that is, running
BIND in a chroot jail.
The main benefit of a chroot jail is that the jail will limit the portion of the file system the DNS
daemon program can see to the root directory of the jail. Additionally, since the jail only needs to
support DNS, the programs related to BIND/DNS available in the jail can be extremely limited.
Most importantly, there is no need for setuid-root programs, which, can be used to gain root
access and break out of the jail.