[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

solution: running DNS as non-root

To: misc@openbsd.org
Subject: solution: running DNS as non-root
From: Matthew Patton <patton@sysnet.net>
Date: Wed, 4 Mar 1998 00:32:06 -0400

Well having spawned that internecine war last week I thought I'd follow up
with some actually useful information.

As some of you may be aware, I'm using bind 8.1.1 principly due to it's
ability to do selective binding. Plus I like the flexibility of the
configuration file. Anyhow, since binding to low ports is not possible
unless one is root and hacking the kernel to turn off this special check
was deemed foolhardy at best, the solution is to put the DNS at a high
port. With a little magic with with /etc/ipnat.rules one simply redirects
the incoming connections at the standard port to the unofficial one. Presto!

I did this for the 'external' half of my split-dns. I'm debating whether I
want to do the same for the internal side. Any thoughts?

In due time I will probably offload ALL services from my firewall (it only
does DNS at this point) If I were to move both halfs to a DMZ host though
there is no way for me write sane ipfilter rules or for that matter to
control which half get's to bind to the interface. I suspect it will
distill to the point that the external half will reside on the firewall and
the internal side on the DMZ.

Now if only those blokes in our illustrious 5 sided crazy house (pentagon)
bothered to put this much thought into their networks...

--------
"I've always thought we could solve a lot of problems if we didn't let
managers read PC magazines." - Corporate Software & Technology's Mickey
McIntire

Prev by Date: Re: going to securelevel=2 directly from boot
Next by Date: Re: g77
Prev by thread: Re: going to securelevel=2 directly from boot
Next by thread: Re: solution: running DNS as non-root
Index(es):
- Date
- Thread