How to Secure your DNS Server

To secure your dns server all you need to do is just add the following lines to your /etc/named.conf file.

1. First you should know the 2 Ips of your dns server. Just open /etc/nameserverips and there you will get the 2 dns ips.

tail /etc/nameserverips

2. Open /etc/named.conf

Look for options { line and above it add these lines

acl “trusted” {
x.x.x.x;
y.y.y.y;
};

where x and y are your 2 dns ips in step (1).

3. Look for line

// query-source address * port 53;

below it , insert the following lines.

version “Bind”;
allow-recursion { trusted; };
allow-notify { trusted; };
allow-transfer { trusted; };

This will disable dns recursion (preventing your server to be open dns server), prevent zone transfers and notification all restricted to your DNS only and not to outside queries. The version will hide the bind version.

4. Prevent DNS Spoofing

If you are running bind 8.x or prior versions, then there is a possibility that your dns server is left unprotected from forged IPs. To prevent this from happening, add this one line in your options

Options {
use-id-pool yes;
}

Once all is complete, restart the named.

service named restart

For more added security, refer to this secure bind template

4. Once everything is done, you will need to check your dns server with online tools like dnsstuff for vulnerabilities.

http://www.pingability.com (free)
http://www.pweb.cz/en/dns-test/ (free)
http://www.intodns.com/ (free)
http://dnsstuff.com (paid)

Testing DNS server with Dig Commands

Dig command to test open dns server

dig @server http://www.example.com

If the server responds resolving the example.com and answers it with IP address, then it is open dns server and it responds to recursive dns queries. Remember this command should only be issued from a shell outside the network or perhaps from another different server.

Dig command to do Zone Transfer

dig domain.com axfr

If you are able to download zone records, then you must disable zone transfer.

Dig command to get version of Bind

Dont show the bind version and if you havent upgraded, it could be subjected to attacks.

dig @server -c CH -t txt version.bind

Advertisements
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: