DNS Newbie - security question
Roy Arends
Roy.Arends at nominum.com
Fri Aug 24 21:43:55 UTC 2001
On Fri, 24 Aug 2001, Eoin Miller wrote:
> Ok ive got DNS up and running, im using BIND 9.1.1, it is setup to
> only allow zone transfers to NS2 which is also running the same
> version of bind, both boxes are running OpenSSH 2.5.2p2, ssh is not
> accessable to the outside world due to firewall rules, only ports open
> are 53 and 22 to the LAN and only 53 to the outside world, are there
> any other security measures i should be taking? (other than keeping up
> with releases and patches) such as was to combat common DOS attacks
> ect?
If you want to set this up as a hidden master (and not a recursive
server), make sure no one is allowed to query the machine accept for the
slaves, (simply use the blackhole-statement), and set recursion to "no".
Also you might want to run it chrooted. You could also use TSIG to
protect the integrity of the zone-transfers & authorise slaves. Most
importantly, run BIND 9.1.3.
Regards,
Roy Arends
Nominum
-------------
0-14-023750-X dcrpt ths 43.0D.01 01.05.0C 84.18.03 8A.13.04 2D.0B.0A
More information about the bind-users
mailing list