[cobalt-users] Re: BIND and DNS Question

[Johan-Kristian Wold <jkwold@xxxxxxxxxxx>]

In cobalt-users digest, Vol 1 #2105, Jonathan Nichols replied to me:
>  >A suggestion (for most of you this might be considered perverted - I
> > know :^) would be to use two of the cheapest Mac G4's with a
> > marathon rackmount kit, and use them as dns servers. There are very
> > few known hacks for Mac DNS servers...
>
> I agree. I've been using QuickDNS Pro on a Quadra 660AV (with a
> Quadra 840av for secondary) for well over a year now and have never
> had any problems.

A friend of mine switched to using Macs for DNS after having his Irix 
boxen hacked through DNS.

> A G4 would be overkill for DNS. You can pick up a beige G3/266 fairly
> cheap these days. :)

I sugested the G4 because it's available in a retail outlet, and 
because it's much cheaper to rackmount than any of the beige macs. 
The G4 basically needs only some ears that replaces the "carrying 
handles". An 1U irack (based on the iMac logic board) would be 
perfect for this job.

> I love the RaQ units, but I tend to think that it's a bad thing to
> put all your eggs in one basket. Redundancy is a good thing. :)

Agreed.

As a side note, one soul on the list mentioned that Dantz were in the 
process of bringing Retrospect clients for linux. If/when it becomes 
available, you might be able to use the DNS server as a backup 
server. One should check if QuickDNS would be able to respond while 
Retrospect was running before setting that up on the production 
servers, though.

On the philosophical side, I've noticed a lot of people around being 
hacked through the BIND hack. I've also noticed that some of you are 
running a fairly large amount of sites (some1 mentioned 8 raqs in 
total = 1200-1600 sites ?). If that were the case with me, I'd 
certainly consider a firewall - And by that, I don't mean running 
IPchains and the like on the server itself - 
ipchains/logcheck/portsentry should be the second line of defense.

While BIND and other services is vulnerable for attacks - even behind 
a firewall, an attacker will be hampered if he can't telnet/ssh to 
the machine. Also, a firewall (with a separate log host) could 
provide you with a log trace that the hacker wouldn't be able to get 
at.

These days, I see so many probes on the network perimeter, that I'm 
very glad we do have a firewall - otherwise I wouldn't be able to do 
much else than reading bugtraq et al and patching up systems as 
exploits become available. Now, I only need to patch the services we 
provide to the outside.

Sorry for being long-winded - I have to get some work done now :^)

Johan-Kr
--
Johan-Kristian Wold, M.Sc.     |
Computer systems administrator | Recursive: Adj. See recursive.
Nor-Trykk Narvik AS            |
jkwold@xxxxxxxxxxx             |                            SAM007HM02