Since I am still unemployed I seem to have a lot more free time on my hands to test out new stuff. For those of you that are scrambling to fix systems because of the latest round of BIND bugs, here is something I have just deployed that you might find useful before the script kiddies head your way. ( You are fixing your systems, right?? Or are you playing the "there are lots of systems on the Internet so I wont get cracked" game??? ) First read these: http://www.cert.org/advisories/CA-2001-02.html http://www.isc.org/products/BIND/bind-security.html Ok...you should be wide awake now. I currently have 3 domains: magusnet.com magusnet.gilbert.az.us francois.gilbert.az.us All are being served by the nameserver on the firewall which is a forwarder host for my Internal machines which are all on private RFC1618 space. Problem: I was running BIND on the firewall but that is a bad thing in light of the latest issues. However, I need to have a visible nameserver to resolve my domains for external lookups that is not connected to my internal DNS config. So after a little work ( 2 hours ) I set up a system so that my internal OpenBSD DJBDNS servers are now authorative for my domains and I have a proxy port running on the firewall that listens for requests on UDP Port 53. This accomplishes a few things. I am now running DJBDNS exclusivly on OpenBSD Sparc systems internally for all DNS: http://cr.yp.to/djbdns I can now arbitrarily point to any internal hosts for DNS resolution independant of the firewall by modifying the Proxy config and sending a HUP signal. My IDS is integrated into my proxy software to watch activity. By default Zone Transfers are disabled without any fancy directives in a conf file. Later on when I feel like it I can put the DJBDNS cache server on the firewall but I am in no rush to do it right now. No matter which of the domains I have are looked up, all SOA records will look like magusnet.com zone files to accomplish configuration masking. Its fast!! I configured the proxy to spawn 32 processes to handle DNS requests and its better than it ever was for speed on a Pentium 133 with 64MB RAM. So, it looks like BIND is dead at MagusNet, Inc. for the time being. Once they get the bugs worked out in BIND 9+ i might have to look at it again. For those of you that have Proxy type Firewalls this should be relatively easy for you to set up if you have at least one *NIX type box on your internal LAN and your vendor software is capable of supporting Reverse Proxy DNS requests. I am not sure how this BIND problem effects Windows shops. Those admins have enuff to worry about with still unpatched exploits in IIS and other services so I hope that ports of BIND to Windows are ok, but I wouldn't bet my LAN on it. Anyone out there have any other good BIND or other Security solution stories to share? Jean Francois - JLF Sends... President & CEO - MagusNet, Inc., MagusNet.com, MagusNet.Gilbert.AZ.US MagusNet, Inc. - Design * Develop * Integrate My Certifications: http://www.magusnet.com/resume.txt Internet / Intranet Deployment, SQL Database Access for WWW, Secure Offsite Data Storage, Disaster Recovery Planning and Management, UNIX System Security, CGI & SQL programming, UNIX Training, Linux/BSD support, Proxy/Filtering Firewalls, & UNIX System Administration.