On 08/08/2010 11:29:52, Shiva Raman wrote: > I am running Bind caching and bind authoritative servers with current > 9.7 version. I would like > to know the steps to be followed to protect bind from DNS Cache poisoning. > The bind DNS server > is running behind the firewall which allows only DNS queries .
Run an up-to-date version of bind. Be fanatical about applying security patches promptly. Don't allow recursion /at all/ for queries from the general public to your authoritative servers, nor permit authoritative servers to send additional data from cache. Permit only your trusted clients to make recursive queries through your recursive servers. If you have sufficient DNS traffic to warrant it, it is very good to run completely separate instances of bind as authoritative and recursive servers -- use of virtualization techniques like FreeBSD jails can help reduce hardware costs. Otherwise, make use of the views feature to control who may or may not perform recursive queries via your servers. Allow bind to use as wide a range of port numbers as possible for UDP traffic. Make sure your firewalls don't do daft things like forcing any DNS traffic to come from a limited range of source ports, or blocking large UDP packets or EDNS. Allow DNS queries over TCP as well as UDP. Implement DNSSEC. Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate JID: matt...@infracaninophile.co.uk Kent, CT11 9PW
signature.asc
Description: OpenPGP digital signature
_______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users