it comes from the days of BIND offering up remote root exploits more often that i care to remember. not allowing TCP 53 through the firewall allowed one to get a least a couple of winks over the course of a night.
Well, those days are hopefully over. Modern BIND is just as secure as any other service (hm, thinking about it, this isn't much of an argument ;-) ). Plus, it runs as unpriviledged user in chrooted jail just fine (this one is an argument).
just adding layers to the onion.
Let me guess, you named your firewall shrek.817west.com?
-- Aleksandar Milivojevic <amilivojevic@xxxxxx> Pollard Banknote Limited Systems Administrator 1499 Buffalo Place Tel: (204) 474-2323 ext 276 Winnipeg, MB R3T 1L7
