Protecting bind from DNS cache poisoning!!!

[Shiva Raman]

Hi
Thanks for your valuable suggestions

>Run an up-to-date version of bind.  Be fanatical about applying security
>patches promptly.

Yes , i am running the latest version Bind-9.7.1-P2.

>Don't allow recursion /at all/ for queries from the general public to
>your authoritative servers, nor permit authoritative servers to send
>additional data from cache.

I am running separate caching and authoritative servers. As suggested
by you, i had disabled recursion to for the authoritative servers.


>Permit only your trusted clients to make recursive queries through your
>recursive servers.

Yes, in caching servers, i have only enabled recursion for our trusted
clients.


>If you have sufficient DNS traffic to warrant it, it is very good to run
>completely separate instances of bind as authoritative and recursive
>servers -- use of virtualization techniques like FreeBSD jails can help
>reduce hardware costs.

Yes, i am running separate instances of authoritative and recursive servers.


>Allow bind to use as wide a range of port numbers as possible for UDP
>traffic.

Yes this is allowed in the firewall.

> Make sure your firewalls don't do daft things like forcing any DNS
>traffic to come from a limited range of source ports, or blocking large
>UDP packets or EDNS.  Allow DNS queries over TCP as well as UDP.

 Yes in firewall , both TCP and UDP DNS queries are allowed.

>  Implement DNSSEC.

 I tried implementing dnssec using the following document
http://blog.dustintrammell.com/2008/08/01/configuring-dnssec-in-bind/

After modifying named.conf for recursive server, i restarted named.

Now named is working with dnssec enabled .But i am not able to verify the
same.

Kindly let me know how can we verify that dnssec is enabled and running ,
from the logs.

Thanks in advance.

Shiva Raman
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20100809/d521be4c/attachment.html>