DNS and BIND

Security Considerations

This section requires a whole guide. Instead of a complete guide, this section will give points of advice, rather than how to implement each idea:

• Run dedicated servers: an internal advertising and an external server capable of resolving queries outside of your domain.

• Use allow-transfer {ip-address;}; in named.conf to restrict zone transfers to only specified servers. Do not forget to restrict zone transfers for both master and slave servers.

• Separate cache and DNS functionality: recursion no; in named.conf will disable caching. If caching must be done on the same server, restrict who can perform recursive, caching queries by using the allow-recursion {subnet;}; in named.conf. Allowing recursive queries from every one increases the chances of DNS cache poisoning. This is a good reason to run dedicated servers, this avoids your entire DNS system being brought down because of one poisoned cache.

• Restrict who can query your DNS server: use allow-query {subnet;}; to restrict queries except from the specified subnet.

• For iptables, allow UDP and TCP port 53. UDP is used for almost all queries, but queries larger than 512 bytes and zone transfers require TCP. Depending on the information you are serving and whether or not you are allowing zone transfers, you can get away with only allowing UDP port 53. Allow TCP port 953 for rndc, and of course allow traffic on the loopback (lo) interface. The following is an iptables examples (for a machine with only a eth0 network interface card) that allows UDP and TCP port 53, and TCP 953 for rndc:

iptables ­-A INPUT ­-i lo ­-j ACCEPT
iptables ­-A OUTPUT ­-o lo ­-j ACCEPT
iptables ­-A INPUT ­-i eth0 ­-p tcp ­­--dport 53 ­-j ACCEPT
iptables ­-A INPUT ­-i eth0 ­-p udp ­­--dport 53 ­-j ACCEPT
iptables ­-A INPUT ­-i eth0 ­-p tcp ­­--dport 953 ­-j ACCEPT

This example does not take outbound traffic into consideration.

• The "Securing an Internet Name Server" PDF found at [1] has a lot of information on securing a nameserver.