Protecting bind from DNS cache poisoning!!!
Shiva Raman
raman.shivag at gmail.com
Mon Aug 9 11:44:20 UTC 2010
Hi
Thanks for your valuable suggestions
>Run an up-to-date version of bind. Be fanatical about applying security
>patches promptly.
Yes , i am running the latest version Bind-9.7.1-P2.
>Don't allow recursion /at all/ for queries from the general public to
>your authoritative servers, nor permit authoritative servers to send
>additional data from cache.
I am running separate caching and authoritative servers. As suggested
by you, i had disabled recursion to for the authoritative servers.
>Permit only your trusted clients to make recursive queries through your
>recursive servers.
Yes, in caching servers, i have only enabled recursion for our trusted
clients.
>If you have sufficient DNS traffic to warrant it, it is very good to run
>completely separate instances of bind as authoritative and recursive
>servers -- use of virtualization techniques like FreeBSD jails can help
>reduce hardware costs.
Yes, i am running separate instances of authoritative and recursive servers.
>Allow bind to use as wide a range of port numbers as possible for UDP
>traffic.
Yes this is allowed in the firewall.
> Make sure your firewalls don't do daft things like forcing any DNS
>traffic to come from a limited range of source ports, or blocking large
>UDP packets or EDNS. Allow DNS queries over TCP as well as UDP.
Yes in firewall , both TCP and UDP DNS queries are allowed.
> Implement DNSSEC.
I tried implementing dnssec using the following document
http://blog.dustintrammell.com/2008/08/01/configuring-dnssec-in-bind/
After modifying named.conf for recursive server, i restarted named.
Now named is working with dnssec enabled .But i am not able to verify the
same.
Kindly let me know how can we verify that dnssec is enabled and running ,
from the logs.
Thanks in advance.
Shiva Raman
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20100809/d521be4c/attachment.html>
More information about the bind-users
mailing list