securing BIND DNS
TSIG (transaction signatures), one-way hash function. Each bit of one-way hash value depends on each and every bit of input. Changing one bit of input, dramatically changes the hash. TSG uses HMAC-MD5, a variant of MD5, in which hash (128 bit) depends on both input and an encryption key. dnssec-keygen command can be used to generate encryption key. Own key can be chosen with mmencode command. TSIG works for queries, responses, zone transfers and updates between dns servers and resolvers.
allow-query global and zone sub-statement implements IP based access control.
allow-transfer directive restricts zone transfers to legitimate slaves. It can also be used both as a global or zone sub-statement. allow-transfer can also take a key option, to allow only TSIG secured zone transfer request.
BIND version can be hidden by using 'version' sub-statement within 'options' directive.
BIND can be run as a normal user and group and can also chroot to a particular directory. However chroot directory needs to be prepared for all requisite files before starting BIND.
recursion be turned off using allow-recursion or 'recursion no' sub-statement. It prevents the most common DNS attack of cache poisoning, which forces a DNS server to recursively respond to a zone request within a hacker DNS server's control.
fetch-glue can be turned off to that the DNS server doesn't try to resolve domain name servers listed in NS records.
use-id-pool sub-statement forces a DNS to use random message IDs in the queries. Hacker's DNS server can spoof a response by guessing message IDs.
allow-recursion and allow-transfer sub-statements can be used together to serve both delegated and resolving name server.
query-source address global statement allows to change source address and port
forwarders and 'forward only' statements configures DNS to send all non-authoratitive queries to another DNS server. BIND chooses one of the forwarders based on roundtrip time. Servers which are to be used as forwarders must be setup as recursive/resolving name servers. Use 'forwarders {}' to disable forwarding within a zone.
Internal root name servers can be setup for non-internet connected internal name servers. Internal root name servers can be non-recursive as other DNS servers will only send them iterative queries.
DNS security extensions is a complex method of securing DNS transactions
allow-query global and zone sub-statement implements IP based access control.
allow-transfer directive restricts zone transfers to legitimate slaves. It can also be used both as a global or zone sub-statement. allow-transfer can also take a key option, to allow only TSIG secured zone transfer request.
BIND version can be hidden by using 'version' sub-statement within 'options' directive.
BIND can be run as a normal user and group and can also chroot to a particular directory. However chroot directory needs to be prepared for all requisite files before starting BIND.
recursion be turned off using allow-recursion or 'recursion no' sub-statement. It prevents the most common DNS attack of cache poisoning, which forces a DNS server to recursively respond to a zone request within a hacker DNS server's control.
fetch-glue can be turned off to that the DNS server doesn't try to resolve domain name servers listed in NS records.
use-id-pool sub-statement forces a DNS to use random message IDs in the queries. Hacker's DNS server can spoof a response by guessing message IDs.
allow-recursion and allow-transfer sub-statements can be used together to serve both delegated and resolving name server.
query-source address global statement allows to change source address and port
forwarders and 'forward only' statements configures DNS to send all non-authoratitive queries to another DNS server. BIND chooses one of the forwarders based on roundtrip time. Servers which are to be used as forwarders must be setup as recursive/resolving name servers. Use 'forwarders {}' to disable forwarding within a zone.
Internal root name servers can be setup for non-internet connected internal name servers. Internal root name servers can be non-recursive as other DNS servers will only send them iterative queries.
DNS security extensions is a complex method of securing DNS transactions
posted by Usman Wahid at
1:08 PM
0 Comments:
Post a Comment
<< Home