Secure a DNS Server |
Server Training - DNS Server |
Securing a DNS server is complex and has many different options. This will be a short and to the point focus on what is the quickest way to set up basic security in three steps.
Restrict Zone Transfers Zone transfers are basically necessary when you have a secondary DNS or slave server and when you make changes to the primary server those changes must be transferred to the slave server so it is up to date. You certainly do not want other people to be able to transfer your information so it must be limited to your slave servers only. If you are hosting a number of zones and they are all represented on the slave server you can use a global options statement to signify which slave server can transfer your information. This will allow your slave server at 192.168.5.14 to transfer the information but no other servers. This will also transfer all zones.
options { allow-transfer { 192.168.5.14; localhost; }; }; If you want to set up the transfer for only one zone server then you could list it with the zone information. This will only allow the transfer of example.com, no other domains.
zone "example.com" { type master; file "example.com.zone"; allow-transfer { 192.168.5.14; localhost; }; }; Because your slave server is just as liable to experience attacks by those wanting to transfer files from the slave you should modify the slave file to secure it as well. zone "example.com" { type slave; masters { 192.168.5.2; }; file “bak.example.com”; allow-transfer { none; }; }; Restricting All Queries Restricting who can use your DNS server for queries will save you a lot of resources and provide better service for your internal users who want to access the Internet. This global statement will allow only your internal network to query the DNS server. This will stop others outside of your network to learn about your DNS so you may want to allow queries for only the domains that you own.
options { allow-query { 192.168.5.0/24; }; };
You will want to allow everyone information about your domains that you are hosting so you want to be sure they can query information about that domain. Be sure to include both the forward and reverse zones. zone "example.com" { type master; file "example.com.zone"; allow-query { any; }; }; zone "196.168.192.in-addr.arpa" { allow-query { any; }; };
Restrict Recursion Not only will this reduce the resource use on your server but it will eliminate the possibility of cache poisoning. Cache poisoning is where DNS cache is fed fake information to steal your domain. This limits recursive lookups for only your internal network. The problem with recursive lookups is that it requires your DNS server to come up with a definitive answer which takes time and resources which you do not want to give away.
options { allow-recursion { 192.168.5.0/24; localhost; }; }; Copyright CyberMontana Inc. and BeginLinux.com
All rights reserved. Cannot be reproduced without written permission. Box 1262 Trout Creek, MT 59874
|