Protecting bind from DNS cache poisoning!!!
Matthew Seaman
m.seaman at infracaninophile.co.uk
Sun Aug 8 11:39:01 UTC 2010
On 08/08/2010 11:29:52, Shiva Raman wrote:
> I am running Bind caching and bind authoritative servers with current
> 9.7 version. I would like
> to know the steps to be followed to protect bind from DNS Cache poisoning.
> The bind DNS server
> is running behind the firewall which allows only DNS queries .
Run an up-to-date version of bind. Be fanatical about applying security
patches promptly.
Don't allow recursion /at all/ for queries from the general public to
your authoritative servers, nor permit authoritative servers to send
additional data from cache.
Permit only your trusted clients to make recursive queries through your
recursive servers.
If you have sufficient DNS traffic to warrant it, it is very good to run
completely separate instances of bind as authoritative and recursive
servers -- use of virtualization techniques like FreeBSD jails can help
reduce hardware costs.
Otherwise, make use of the views feature to control who may or may not
perform recursive queries via your servers.
Allow bind to use as wide a range of port numbers as possible for UDP
traffic.
Make sure your firewalls don't do daft things like forcing any DNS
traffic to come from a limited range of source ports, or blocking large
UDP packets or EDNS. Allow DNS queries over TCP as well as UDP.
Implement DNSSEC.
Cheers,
Matthew
--
Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard
Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate
JID: matthew at infracaninophile.co.uk Kent, CT11 9PW
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 267 bytes
Desc: OpenPGP digital signature
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20100808/755776ae/attachment.bin>
More information about the bind-users
mailing list