Sunday, September 9, 2012

Securing a DNS Server, Part 1

This week I'll go over some methods to secure a BIND DNS server. As I mentioned last week, these methods all pertain to an authoritative DNS server.

These items are all from the Defense Information Systems Agency (DISA), Information Assurance Support Environment (IASE) Domain Name System Security Checklist, Version 4, Release 1.12. which can be downloaded from here:

http://iase.disa.mil/stigs/a-z.html

DISA has a very large collection of security guides to look over--they can be a great help to anyone wanting to secure their IT systems.

Back to DNS security, here are some general common methods DNS administrators use to secure their servers:

1.  Do NOT allow the BIND process (named) to run as the root user.  For some odd reason, BIND runs as root by default.  The reason for this is that if your BIND process is taken over by an intruder then they have root access to your server.  I created a "named" user to run BIND on my servers.
Note that the user for BIND should not have a default shell, to prevent someone from logging into that account.

2.  Run BIND in a chroot (change root) environment, or jail.  This means to place all the files BIND needs to run in an isolated directory and run BIND with the chroot option.  This process will make the BIND process "see" the server as existing only in its directory.  I had to work with UNIX administrators to get this one done, it can be tricky.

3.  File permissions should be restricted to only DNS administrators and the BIND (named) process. This is critical for any keys you have on the system.  No files should have permissions allowing anyone beyond the group access to the files in any way.  There is a caution to be observed here however, you must be sure that the BIND "user" has access to the files it needs to run.

4.  This one is not a DISA item, but it is a good idea to set up your DNS server in a dedicated zone on the physical server PC.  This takes the chroot idea a step further by isolating the DNS server to it's own zone.

5.  DNS should run on it's own dedicated server.  Along with this, all processes not needed for BIND should be disabled.

So, that will wrap it up for this week.  I'm sure there are some items I have overlooked.  Take a look at the DISA IASE DNS guide if you are interested in learning more.  Next week, we'll look deeper into the DNS server configurations and how to secure a server using the configuration files.



Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)