[CentOS] bind vs. bind-chroot

Wed Apr 12 22:18:59 UTC 2017
John R Pierce <pierce at hogranch.com>

On 4/12/2017 3:11 PM, Nicolas Kovacs wrote:
> On my public servers, I usually run BIND for DNS. I see CentOS offers a
> preconfigured (sort of) bind-chroot package. I wonder what's the
> effective benefit of this vs. a "normal" BIND setup without chroot. On
> my Slackware servers, I have a rather Keep-It-Simple approach to all
> things security, e. g. run no unneed services, open only needed ports
> etc. but I don't run the extra mile (and haven't been bitten so far).
> Any suggestions? (No flamefest please.)

bind went through a rocky stage where there were a LOT of security holes 
in it.  by running it in a chroot, you limit its ability to be used as a 
hacking point of entry.    recent versions of bind (basicially, 9 and 
newer) are much more secure, so this is less of a concern.

john r pierce, recycling bits in santa cruz