[CentOS] Vulnerabilities to bind-libs bind-utils - possible to remove these on webservers

Mon Jun 24 15:49:16 UTC 2019
Peda, Allan (NYC-GIS) <Allan.Peda at interpublic.com>

I just tried out removal of bind-utils on a soon to be retired machine.  It seems fine with the caveat that we lose /bin/host and /bin/dig

Perhaps a perl script might suffice to emulate 'host' on machines that might need the occasional networking debug session.  Just typed this up, so FWIW:

use Net::DNS;

my $res = Net::DNS::Resolver->new();
my $sought = $ARGV[0];
my $a_query = $res->search($sought);
if ($a_query) {
  foreach my $rr ($a_query->answer) {
    if( $rr->type eq 'A' ){
      printf("%s has address %s\n", $sought, $rr->address);
    } elsif( $rr->type eq 'CNAME' ){
      printf("%s is an alias for %s\n", $sought, $rr->cname);
      $sought = $rr->cname;
} else {
    warn "Unable to obtain a record for $ARGV[0]: ", $res->errorstring, "\n";

On 6/24/19, 10:02 AM, "CentOS on behalf of mark" <centos-bounces at centos.org on behalf of m.roth at 5-cent.us> wrote:

    Peda, Allan (NYC-GIS) wrote:
    > I think the subject says it all.  We don't run named.  It seems there are
    > chronic issues with bind.  Can these packages be removed?
    > We locally authenticate. I see this:
    > Removing for dependencies:
    > bind-utils ipa-client sssd sssd-ad sssd-ipa
    > We shouldn't need any of that with local authentication (/etc passwd and
    > /etc/shadow) right?
    Are you running sssd? Are you connected to the AD?
        mark (we do, and we are)
    CentOS mailing list
    CentOS at centos.org

This message contains information which may be confidential and privileged. Unless you are the intended recipient (or authorized to receive this message for the intended recipient), you may not use, copy, disseminate or disclose to anyone the message or any information contained in the message.  If you have received the message in error, please advise the sender by reply e-mail, and delete the message.  Thank you very much.