Posted by mixmox, 03-25-2009, 06:17 PM | hello.
i have question about securety of our DNS Server .
how can we do it ?
|
Posted by michaelpoulsen, 03-25-2009, 06:50 PM | Disable DNS recursion. Process varies depending on which vendor you use.
|
Posted by squirrelhost, 03-25-2009, 06:52 PM | http://easyhacking.blogspot.com/2007/04/dns-abuse.html
Also seems Bind has more vulnerabilites than the rest. If you use it
then upgrade to latest Bind 9 version also.
I see not even Yahoo have done this! Sloppy.
|
Posted by mixmox, 03-25-2009, 07:03 PM | tnx from yoyr reply.
what about this topic :
http://corpocrat.com/2009/02/21/how-...ur-dns-server/
i need some information from who one do it and know its good or not.
|
Posted by squirrelhost, 03-25-2009, 07:13 PM | of course it's all good.
all they're doing is editing a file, and adding some
text, then restarting Bind. I suspect this was
intended for Cpanel users, as it mentions /etc/nameserverips
and the ACL's are to transfer zones to/from your other CPanel
server if you have one.
if you have one server, just put
allow-transfer { none; };
allow-recursion { none; };
recursion no;
in the options list at top of named.conf
|
Posted by mwatkins, 03-25-2009, 08:39 PM | If you run any sort of command line or server process which needs to make DNS queries, AND your server is referenced as the first or only resource in /etc/resolv.conf (i.e. 127.0.0.1) then you really do want to enable recursion.
You just don't want to enable recursion for the outside world. ACLs aren't just for enabling transfers - handily you can use them to decide who can recurse and who can't.
or
where 12.34.56.78;12.34.56.79; are IP addresses on your server. And change allow-recursion from "none" to:
What's a common and valid reason to have a local caching *recursive* name server? You run a local mail server and have packages such as policy daemons or spam attachments which do DNS lookups as part of their magic. In this case you want a fast local cache, if you are getting any sort of mail traffic at all.
Curses!
|
Posted by dotHostel, 03-25-2009, 08:46 PM | If you run a single DNS, block incoming traffic to TCP port 53, otherwise allow TCP/53 incoming requests only from authorized secondary servers.
|
Posted by Eric - Zoidial, 03-25-2009, 09:55 PM | You may also want to set up bogon IP space filtering.
cymru.com has a good filter set, and a BIND config template here: http://www.cymru.com/Documents/secur...-template.html
|
Posted by Tyl3r, 03-25-2009, 10:13 PM | You might want to use something other than bind, perhaps powerdns. It doesn't have some of the exploits bind has been involved in as of the past few years.
|
|
Add to Favourites
Print this Article |