DNS caching 7359
Well, I know a lot of people don't like to admit it, but I got "hacked" over the Xmas holidays, thanks to my own stupidity and oversight. Meaning, I wasn't really...
Now I have seen repeated in this thread that there is no way to control what file (actually what directory) named dumps its data to. Jean-David is right, it is possible, and here is how you do it.
A few lines from myetc-named.conf:
options { directory "-var-named"; dump-file "-var-named-data-cachedump.db"; statistics-file "-var-named-data-namedstats.txt";
My named runs in a chroot jail, and the paths are relative to its root.
Next, if there is a bug in named and a cracker exploits it, I presume there will be damage, not only dos, but clients of that instance of named will be directed to the the crackers "infernal sites", even if the zone files are not writable, until named is rebooted or reloaded.
Suppose named runs in a chroot jail and has write access to the zone files, and buttume there is a good copy of the zone files outside the jail, and buttume the startup script wipes the jail clean and populates it from the good copy each time named is restarted. What is the difference?
There is a difference I can see, if you use a SIGHUP or rndc reload, the zone files will not be restored from the good copy. But you can change your procedures.
-Enrique