Recent Entries
Popular articles
Topics
Recommended links

RSS icon Subscribe

» View my profile
Technorati

del.icio.us My links on del.icio.us

Tags
analysis antivirus application security auditing botnets breaches compliance crime cryptography DNS encryption forensics humor interesting Linux Malware marketing network pdf pentest phishing php Privacy rant reference software ssl standards sysadmin tool tools trends ubuntu Virtualization virtualization security vmware vulnerabilities vulnerability+assessment web web application security webappsec web security windows Windows security xss

« Previous article — Next article »

Hardening DNS with the Cymru Secure BIND template

August 15th, 2006 Posted by D Webber

When we go into a new client’s site one of the first things we look at is configuration of local DNS servers. DNS is key to the security of the entire organization, yet what we usually find are servers wide open to attack.

The most common issues we find are things like running an ancient version of BIND, recursive queries and zone transfers being allowed from the entire Internet, and internal host names not being hidden. Too often the sever operating system hasn’t been hardened either, but that’s another story.

The health of the domain name service is vital to the security of users and almost every component in the network infrastructure. DNS is a common target of attack via cache poisoning and other so-called "pharming" techniques that redirect DNS queries to hostile destinations. Though DNS is critical, we rarely encounter system administrators who really understand how DNS works and how to lock down name servers. DNS, it seems, is yet another security blind spot.

One guide that makes hardening DNS easy is the Secure BIND Template published by security researcher Rob Thomas and the team at Cymru. The guide includes a well structured named.conf for BIND version 9 that does almost everything right: hide version numbers, block unauthorized zone transfers and outside recursive queries, block requests from impossible ("bogon") source IPs and so on. Running BIND in a chroot jail is also covered if you’re ultra-paranoid.

The template is easy to modify to fit your own DNS situation. In a few minutes you can use it to replace your existing named.conf file and have far greater protection against DNS cache poisoning, denial of service and reconnaissance of internal host names and IP addresses. Highly recommended.

Cymru Secure BIND Template:

http://www.cymru.com/Documents/secure-bind-template.html

By the way, there are also many other good things at the Cymru web site, including templates for securing Cisco IOS and BGP. They also maintain the "Bogon list", a list of IP ranges that should never be seen on the Internet (there are far more than the widely known RFC 1918 private IP ranges)… very useful as an anti-spoofing blacklist in firewalls and Internet-facing servers.

Update: other guides to configuring BIND 9 and DNS in general:

Related posts:

Posted in Blind spots, Infrastructure |
Tags: ,

Comments for this article are closed.


Article contents copyright © Advosys Consulting Inc. Comments are copyright of the author
Icons courtesy Wikimedia Commons and are copyright of their authors.