[WBEL-users] Recommendation for BIND only distro?

[John Morris]

On Wed, 2005-05-25 at 11:09, Bob Ramstad wrote:

> We have a need to bring up a very very limited role server for taking
> care of external DNS requests.  This will be the only public service
> at our location.

> It then occurred to me that there have to be some distros out there
> that are meant for this kind of purpose, and sure enough, there's an
> embarassment of riches out there... hard to choose one.

I'd say it depends on a couple of factors.

1) Do you have an adaquate box to throw at the problem?  WBEL3 needs
192M to reliably install (but you can drop to 128 or 64 afterwards if
you are only running bind).

2) How many other WBEL machines are you running?  If you are running a
lot you probably have a local repo and a fair amount of experience in
admining WBEL.  You will probably have neither on a first install of a
mini-distro.  Bind isn't the most bugfree software.

Of course I'd run WBEL since I know it and hardware equal to the task is
sitting in storage.  If you start with a minimal install and then remove
some more afterwards (even if you need --nodeps to get around .spec
brain damage) you can harden it up nicely.  Configure yum to do nightly
updates from a local repo so nobody has to remember to update bind every
time another exploit is discovered.  Then use iptables to close every
port except the ones needed for DNS and ssh from your management
workstation and you should be pretty safe.  Especially if you spend the
extra few minutes installing bind-chroot and sorting all that out.

The only downside is that in the past updates to bind (especially when
using bind-chroot) have broken things badly enough to leave the server
dead in the water without human intervention so consider the risk of
that vs the risk from a successful exploit before putting yum on
autopilot.

-- 
John M.      http://www.beau.org/~jmorris     This post is 100% M$Free!
Geekcode 3.1:GCS C+++ UL++++$ P++ L+++ W++ w--- Y++ b++ 5+++ R tv- e* r