How to secure DNS...
Justin Scott
lists at darktech.org
Sat Mar 2 04:14:35 UTC 2002
That is sort of how it works, but you're missing one step. Once the other
DNS servers ask the root servers who is authorative, those resolvers will
contact your DNS server directly looking for authorative answeres to their
queries, so you much leave 53 open for TCP/UDP traffic if you want to run a
public DNS server. For security, firewall everything else, restrict who can
use the server for recursive lookups, restrict who has access to perform
zone transfers, and make sure you're running the latest version possible.
Your only other option would be to have someone else handle your DNS
hosting. A quick search on Google will reveal numerous outsourced DNS
providers.
-Justin Scott, Lead Developer
Sceiron Internet Services, Inc.
http://www.sceiron.com
----- Original Message -----
From: "Christopher Corn" <christopher_corn at yahoo.com>
Newsgroups: comp.protocols.dns.bind
To: <comp-protocols-dns-bind at isc.org>
Sent: Friday, March 01, 2002 9:33 PM
Subject: How to secure DNS...
>
> Just setup my Bind server on my solaris 2.8 box, version 8.X. This
> system is also going to be the DNS server for my zone, out on the
> internet. Doing so makes my system accessible to the world. I'm not
> too familiar with DNS, so my question is, can you secure the number of
> server that have access to my system? Can you restrict access to only
> root srevers ? without blocking out the rest of the world. MY
> understanding of DNs is that, when a zones' dns server cannot resolve,
> its then resolved throughthe root servers. Therefore in theory i
> should be able to block out everyone but rootservers. is this
> correct?
>
> Thanks in advance,
> Chris
>
>
More information about the bind-users
mailing list