Re: Securing DNS


Subject: Re: Securing DNS
From: Duane Murphy (duanemurphy@mac.com)
Date: Wed Nov 21 2001 - 18:04:11 MST


--- At Wed, 21 Nov 2001 15:46:40 -0700, Darron Froese wrote:

>On 11/21/01 3:17 PM, "Duane Murphy" <duanemurphy@mac.com> wrote:
>
>> I am concerned about the security of the domain server. I have seen how I
>> can change the access control to the local lan only but then I dont
>> respond to domain information for my public domains. I have also noticed
>> that my internal addresses are available to the outside with a request.
>> This is just annoying as they are local addresses and cant be used
>> externally. But its still seems like a risk.
>>
>> Is there someway to secure this DNS server? To allow it to provide access
>> to my public domains as well as my local lookups?
>
>It's actually quite simple.
>
>With Bind 8 you can add a number of options to the named.conf file that add
>various levels of security. Here's some of the ones I've added to a dns
>server I run:
>
>options {
>
> // Allow only our secondary name server to get
> // a full zone transfer.
> // That way, you can determine who gets a full zone transfer
> // from you server.
> allow-transfer {
> ip.address.of.secondary;
> };
>
> // Don't give them the real version number. Let them guess.
> version "Yeah sure.";
>
> // Only allow recursion from local networks.
> // This will allow your internal people to resolve outside names -
> // but will NOT affect people querying domain names you are hosting.
> allow-recursion {
> 192.168.1.0/24;
> };
>
>};
>
>
>Here's a zone that I only want to be available from inside the network:
>
>zone "internal" {
> type master;
> file "internal..hosts" ;
> allow-query { local.ip.addresses.here;
> another.local.address.of.firewall;
> };
>};
>
>There are also other options for securing your DNS server like setting up
>TSIG between hosts and DNSSEC, but these are the simplest and quickest to
>do.
>
>Hope that helps at all.

Thanks Darron this helped a lot! It gave me some good examples and got me
to look at man named.conf which spells it all out.

I think this tightened up my server a bit. The goofy part I have now is
my local addresses. I think its because of the way that I chose to do it.

I chose to put all my local addresses into my external domain name. For
example abc.com would be the external domain name. I have addresses for
example www.abc.com that are external but I also have address for things
like ws1.abc.com for workstation 1. This resolved to a local (192.168.1)
address.

Is there any way to not send these extra address out? It seems if they
are in the same domain that have to be sent out together and resolution
all occurs together.

Thanks for the help again!
..Duane



This archive was generated by hypermail 2a24 : Wed Nov 21 2001 - 18:17:17 MST