Wednesday, December 16, 2009

BIND 9 - remember to disable dynamic updates!

The nixCraft newsletter, http://www.cyberciti.biz , has some really handy tips. Today's was a BIND 9 'feature' that I didn't have disabled, but should have. BIND 9 allows you to update master zones on a nameserver with the allow-updates command. Bad idea for many reasons, even if you specify allowed addresses. So for security's sake, put

allow-update { none; };

into each of your zone files.

When I'd done this, and done a 'rndc reload', I noticed the following in my log file:

Dec 15 09:02:05 challenger named[3127]: the working directory is not writable

Hmm. A little googling told me that the named directory had to be group writable, and mine wasn't. So:

chmod g+w /var/named/chroot/var/named/

Of course, we're running chroot'ed. If you're not, you should be.

No comments:

Post a Comment