This week, we’ll conclude securing an authoritative BIND
server through configuration.
1. It is a definite best practice to keep master and
slave servers isolated from each other. This
means both physically and logically (network-wise). They should be in completely different areas
of a building, or better yet one should be off-site. This so that obviously a disaster will not
wipe out all of your servers. They
should be separated logically by placing them on separate network segments so a
failure of a network segment will not take out both servers.
2. The servers should
run some sort of file integrity checking tool also. Tripwire is a good example of this. This software can notify you that files on
the server have changed.
3. Protect your server by a firewall, don't just leave it outside to fend for itself. Put it in a DMZ with some firewall protection. It can also benefit from ACLs in place on the border routers of your organization.
4. Protect slave servers from false update notifications by using the allow update section in named.conf. Put the master server IP in this section.
That wraps up this week--next week we'll start looking into DNSSEC.
That wraps up this week--next week we'll start looking into DNSSEC.
No comments:
Post a Comment