Securing a DNS Server, Part2.
This week we'll look into the configuration of a DNS server and some things that can be done to make the server more secure. Again, we are looking at an authoritative BIND server.
1. Hide the version of BIND you are running. The bind version can be found using either dig or nslookup. Bad guys can target their attacks based on the version of BIND you are running. Hiding the version is easily accomplished by editing the configuration file (named.conf). In the options section, there is a version line. Simply edit the text in the quotes to something along the lines of "Not disclosed." or whatever you want.
2. Disable recursion on an authoritative DNS server. This is a best practice and also a good security measure. Authoritative servers answer queries, not perform lookups. With recursion disabled, the server will not build up a cache, thereby preventing a threat for cache poisoning.
3. Limit zone transfers (and associated notifies) to only between primary and secondary servers.
4. Secure zone transfers using shared TSIG (transaction signature) keys. These keys should be changed at least annually.
5. Disable dynamic updates. This will prevent unauthorized adding, changing or deleting of zone data.
For more details on these and more actions, please refer to the NIST Secure DNS Deployment Guide in the 2nd week (3 September) post.
That wraps it up for this week. Next week I plan to finish off securing the server through configuration before we boldly dive into DNSSEC!
No comments:
Post a Comment