One guide that makes hardening DNS easy is the Secure BIND Template published by security researcher Rob Thomas and the team at Cymru. The guide includes a well structured named.conf for BIND version 9 that does almost everything right: hide version numbers, block unauthorized zone transfers and outside recursive queries, block requests from impossible ("bogon") source IPs and so on. Running BIND in a chroot jail is also covered if you’re ultra-paranoid.
The template is easy to modify to fit your own DNS situation. In a few minutes you can use it to replace your existing named.conf file and have far greater protection against DNS cache poisoning, denial of service and reconnaissance of internal host names and IP addresses. Highly recommended.
Cymru Secure BIND Template:
http://www.cymru.com/Documents/secure-bind-template.html
By the way, there are also many other good things at the Cymru web site, including templates for securing Cisco IOS and BGP. They also maintain the "Bogon list", a list of IP ranges that should never be seen on the Internet (there are far more than the widely known RFC 1918 private IP ranges)… very useful as an anti-spoofing blacklist in firewalls and Internet-facing servers.
Other guides to configuring BIND 9 and DNS in general:
The Center for Internet Security (CIS) Bind Level 1 Benchmark
NIST Secure Domain Name System (DNS) Deployment Guide (PDF)
Tags: DNS, dns security
1 comment:
This content was ripped from http://advosys.ca/viewpoints/2006/08/secure-dns-template/
Without permission.
Post a Comment