Graham Bleach wrote:
> On 05/02/2008, Brian Chivers <brian@???> wrote:
>> I have been "tasked" with replacing our main internet facing DNS server and have been looking into
>> the various such as chroot environments. I'd planned on using a base install of Etch as the OS
>> platform.
>>
>> Chroot's seem like a really good idea but one thing I thought that I could do to increase security
>> is to run the it in our DMZ. I can have multiple external IP addresses on our firewall so this isn't
>> a problem and the just port forward port 53.
>
> Chroots are a good idea and are extremely easy to use with recent BIND versions.
>
>> Am I missing something, would this work and does anyone have any advice about this ??
>
> I wouldn't offer any advice without knowing what else was in the DMZ
> and if it is a nameserver for your domains or a resolver for your
> client machines.
>
> G
>
Thanks guys, lots to think about.
Our DMZ only has a few webservers & our mail server but thinking about it the mail server is the
important one.
Thinking about it I could put two netcards in the box and have one connected to the DMZ so I have
ssh access to the box and then one on the internet facing side with only BIND bound on (think this
is possible) to limit exposure.
Lots to think about.
Brian
------------------------------------------------------------------------------------------------
The views expressed here are my own and not necessarily
the views of Portsmouth College
