[dns-operations] CVE 2015-8000 actively exploited yesterday
Robert Edmonds
edmonds at mycre.ws
Thu Dec 17 01:49:10 UTC 2015
Jared Mauch wrote:
> You can always take something like dnsdist and stick it in front of a cluster
> of servers, or ask RedHat to package a better init.d/systemd script to respawn
> the daemon.
RHEL 7 is systemd-based (so it doesn't help the original poster, who's
running RHEL 6, which is upstart-based), so this is basically a
one-liner. You set a "Restart=" value in the [Service] section of the
named.service unit file. For the full documentation, see
http://www.freedesktop.org/software/systemd/man/systemd.service.html#Restart=
The named.service unit shipped in RHEL 7 (actually CentOS 7.2.1511)
doesn't set Restart=, so the default is "Restart=no". The Fedora
packagers recommend "Restart=on-failure" or "Restart=on-abnormal" for
long-running daemons:
https://fedoraproject.org/wiki/Packaging:Systemd#Automatic_restarting
(Of course, the server still can't answer any queries in the time
between the abort and being restarted by the init system.)
> I generate my config out of a database, so having something output another
> format is fairly painless. Maybe that is PowerDNS or NSD or knot. Lots of
> people use BIND because it’s considered the ‘reference implementation’ by
> the community. this is also why when using NTP people use the ntp.org one
> vs chrony, OpenNTPD or something else. (Me, I recommend chrony).
systemd-timesyncd is also a pretty good SNTP client. I especially like
how it doesn't leave a UDP port open, except when it's making a request.
> Either way, diversity creates options and building a solution to restart
> the daemon is as easy as:
>
> #/bin/bash
> while true; do
> /usr/sbin/named -f $OTHER_ARGS
> done
Well, if you go down that route, please make sure there's a ! in the
shebang :-)
--
Robert Edmonds
More information about the dns-operations
mailing list