[CentOS] bind vs. bind-chroot

Thu Apr 13 02:27:01 UTC 2017
Robert Moskowitz <rgm at htt-consult.com>

On 04/12/2017 06:18 PM, John R Pierce wrote:
> On 4/12/2017 3:11 PM, Nicolas Kovacs wrote:
>> On my public servers, I usually run BIND for DNS. I see CentOS offers a
>> preconfigured (sort of) bind-chroot package. I wonder what's the
>> effective benefit of this vs. a "normal" BIND setup without chroot. On
>> my Slackware servers, I have a rather Keep-It-Simple approach to all
>> things security, e. g. run no unneed services, open only needed ports
>> etc. but I don't run the extra mile (and haven't been bitten so far).
>> Any suggestions? (No flamefest please.)
> bind went through a rocky stage where there were a LOT of security 
> holes in it.  by running it in a chroot, you limit its ability to be 
> used as a hacking point of entry.    recent versions of bind 
> (basicially, 9 and newer) are much more secure, so this is less of a 
> concern.
But make sure to have SELinux enabled if you do not run it chrooted.

I have mine running that way.