BIND 9 Application Security - AppArmor, SecompBPF, Firejail & Systemd

Presented by

Carsten Strotmann

About this talk

This webinar will look at alternatives to SELinux to securing BIND 9 application servers. Trainer Carsten Strotmann will walk you through the critical commands needed to enable, disable and view restrictions that can protect your server from overuse or intrusions coming from the BIND 9 process. Measures like this can protect against unknown future vulnerabilities, as well as protect the named process itself. Topics discussed include: - AppArmor on Ubuntu/Debian - Securing a BIND 9 Server with “Firejail” - Introduction to Secomp/BPF “syscall Firewall” - Restricting Syscalls with Secomp and systemd - Hardening a BIND 9 installation with Systemd In addition Carsten shared his Systemd 'unit' file here: and a Firejail profile template here: --- Learn more at

Related topics:

More from this channel

Upcoming talks (0)
On-demand talks (28)
Subscribers (252)
Internet Systems Consortium is a non-profit corporation dedicated to developing software and offering services in support of the Internet infrastructure. ISC develops and distributes three open source Internet networking software packages: BIND 9, ISC DHCP, and Kea DHCP. BIND 9, ISC’s Domain Name System (DNS) software program, is widely used on the Internet by enterprises and service providers, offering a robust and stable platform on top of which organizations can build distributed computing systems. ISC DHCP and Kea implement the Dynamic Host Configuration Protocol for connection to an IP network. Kea DHCP is ISC newer DHCP software, and is designed for modular extension, dynamic reconfiguration, and high performance. In addition to our open source software, ISC also operates critical Internet infrastructure in the form of the F-Root server, one of the 13 Internet root name servers that power the global Internet. ISC is supported through the sale of annual support subscriptions for our open source software. These support services also include advance notification of security vulnerabilities, and in some cases, non-public software extensions. For more information please visit or email us at