|
|
|
|
|
|
by m3047
1233 days ago
|
|
|
I gave this a +1, although I have some reservations. As long as they take care of the basics, it's a grind but they can "learn on the job" without putting themselves or others in harm's way. Being an open recursor isn't as bad as being an open (email) relay. They'll learn about Response Rate Limiting the first time they get used in a reflection attack. And so on. If they install a web interface to manage DNS all bets are off (what manages the management interface?). The Basics: * Having a strong allergic reaction to anyone using the words "simply" or "just". * Setting up SSH with at least two of a password, a key, IP address restrictions. * Not allowing dynamic updates until you know what you're doing with security and access controls. * Keeping patches / software up-to-date. * Editing zone files / configs by hand. If they can do those things, then the machine will only be listening on two ports (53 and whatever they put SSH on). |
|
|