Subject: Re: Securing DNS
From: Darron Froese (darron@froese.org)
Date: Wed Nov 21 2001 - 15:46:40 MST
On 11/21/01 3:17 PM, "Duane Murphy" <duanemurphy@mac.com> wrote:
> I am concerned about the security of the domain server. I have seen how I
> can change the access control to the local lan only but then I dont
> respond to domain information for my public domains. I have also noticed
> that my internal addresses are available to the outside with a request.
> This is just annoying as they are local addresses and cant be used
> externally. But its still seems like a risk.
>
> Is there someway to secure this DNS server? To allow it to provide access
> to my public domains as well as my local lookups?
It's actually quite simple.
With Bind 8 you can add a number of options to the named.conf file that add
various levels of security. Here's some of the ones I've added to a dns
server I run:
options {
// Allow only our secondary name server to get
// a full zone transfer.
// That way, you can determine who gets a full zone transfer
// from you server.
allow-transfer {
ip.address.of.secondary;
};
// Don't give them the real version number. Let them guess.
version "Yeah sure.";
// Only allow recursion from local networks.
// This will allow your internal people to resolve outside names -
// but will NOT affect people querying domain names you are hosting.
allow-recursion {
192.168.1.0/24;
};
};
Here's a zone that I only want to be available from inside the network:
zone "internal" {
type master;
file "internal..hosts" ;
allow-query { local.ip.addresses.here;
another.local.address.of.firewall;
};
};
There are also other options for securing your DNS server like setting up
TSIG between hosts and DNSSEC, but these are the simplest and quickest to
do.
Hope that helps at all.
This archive was generated by hypermail 2a24 : Wed Nov 21 2001 - 15:59:36 MST