• 

• Categories:

• FreeBSD
• Security
• - Web server security
• - dns security
• - Rootkit Hunter
• - dshield + pf
• - Expiretable
• - Bruteforce attacks
• - Using pfctl
• - Portaudit
• - Packet Filter
• Apache
• Email
• OpenBSD
• PHP
• DNS
• Work




• Home
• login

•  Links:

• Cookbook
• FreeBSD
• OpenBSD
• Property
• French Property
• German Property
• Spanish Property
• Italian Property
• UK Job Search

dns security

One of the most important ways you can enhance the security of your name server is to run a recent version of Bind (if you must have Bind that is - there are more secure alternatives. I no longer use Bind, but for those who do, I've left this guide in place). All versions of Bind before 8.2.3 are susceptible to at least a few known attacks. Check the ISC's list of vulnerabilities in various Bind versions here for any updates.

Bind 9 allows Access Control Lists (ACLs) which are address match lists that you can set up and nickname for future use in allow-notify, allow-query, allow-recursion, blackhole, allow-transfer, etc.

Using ACLs allows you to have finer control over who can access your name server, without cluttering up your config files with huge lists of IP addresses. It is a good idea to use ACLs, and to control access to your server. Limiting access to your server by outside parties can help prevent spoofing and DoS attacks against your server.

Since older versions of Bind may have known exploits, it is always a good idea to hide the version. Although we may be alerting the fact that we're running a fairly recent version of Bind, and some may consider this type of 'security by obscurity' to be pointless, to do it anyway, simply add the following to your named.conf:

options {
....
version "not known" ;
};

If you allow recursive lookups, you open yourself up to various security risks and performance issues, so you should only allow recursion when needed. Recursive lookups are lookups for domains you are not authoritative for. That is, if you are authoritative for mydomain.com, and you don't allow recursion, then if somebody queries your server for otherdomain.com, they will just get a host not found error. To turn off recursion altogether, use this option in named.conf:

options {
....
recursion no;
};

To allow recursive lookups from a particular set of IP addresses, perhaps on your own network, then define them in an ACL at the start of named.conf, and modify the above, to get:

acl trusted { 10.11.12.13/27; };
options {
....
allow-recursion { trusted; };
}

allow-transfer defines a list of IP addresses that are allowed to transfer (copy) the zone information from the server (master or slave for the zone). The default behaviour is to allow zone transfers to any host. While on its face this may seem an excessively friendly default, DNS data is essentially public and the bad guys can get all of it anyway. However if the thought of anyone being able to transfer your precious zone file is repugnant, or (and this is far more significant) you are concerned about possible DoS attack initiated by transfer request, then use the following:

options {
----
allow-transfer {"none";};
};

You can also use this in a zone statement.

Finally, blackhole defines a list of addresses that the server will not respond to, or answer queries for. The default is 'none' (all hosts are responded to). This statement may only be used in a global options clause. We can define a set of IP addresses to ignore in an ACL, and then have:

acl bogusnets { 0.0.0.0/8; 1.0.0.0/8; 2.0.0.0/8; 10.0.0.0/8; 172.16.0.0/12; 192.168.0.0/16; };
options {
....
blackhole { bogusnets; };
}