[plug] incase anyone wasnt aware..CERT advisory [ BIND ]

Christian christian at amnet.net.au
Tue Nov 14 14:11:27 WST 2000


On Tue, Nov 14, 2000 at 01:50:56PM +0800, Bret Busby wrote:
 
> A couple of points:
> 
> A while ago, from memory, I raised a similar issue on the mailing list
> (a CERT warning about BIND).
> 
> At that time, from memory, advice was given that no-one using Linux,
> should be using BIND, unless it was absolutely necessary, and, that
> people should check whether BIND was running on their systems, and, if
> so, unless they were running DNS servers, or something, they should
> immediately disable BIND, as BIND itself posed a ecurity risk, unless
> using it was absolutely necessary, and, the latest version, with the
> most recent security patches, was being used.

No one should be using any program they don't need.  That would seem
pretty obvious and not just from a security perspective!  But your
memory seems to have served you correctly.

> Perhaps, Christian, as the security person, you could briefly go over
> the associated issues regarding BIND, again, for the sake of Desiree,
> and, any new people, who may have BIND running, unwittingly?

*The* security person? *chuckle*

Basically, don't run any software that you don't need.  If you've got a
home workstation, you don't need to run a DNS server (and probably most
other servers).  If you're running a machine (semi-)professionally then
subscribe to your vendor's security mailing list and/or any other
relevant lists which will let you know when security issues arise with
the software you're using so you can upgrade, temporary disable the
service or whatever.



More information about the plug mailing list