Hi Thanks for your valuable suggestions >Run an up-to-date version of bind. Be fanatical about applying security >patches promptly.
Yes , i am running the latest version Bind-9.7.1-P2. >Don't allow recursion /at all/ for queries from the general public to >your authoritative servers, nor permit authoritative servers to send >additional data from cache. I am running separate caching and authoritative servers. As suggested by you, i had disabled recursion to for the authoritative servers. >Permit only your trusted clients to make recursive queries through your >recursive servers. Yes, in caching servers, i have only enabled recursion for our trusted clients. >If you have sufficient DNS traffic to warrant it, it is very good to run >completely separate instances of bind as authoritative and recursive >servers -- use of virtualization techniques like FreeBSD jails can help >reduce hardware costs. Yes, i am running separate instances of authoritative and recursive servers. >Allow bind to use as wide a range of port numbers as possible for UDP >traffic. Yes this is allowed in the firewall. > Make sure your firewalls don't do daft things like forcing any DNS >traffic to come from a limited range of source ports, or blocking large >UDP packets or EDNS. Allow DNS queries over TCP as well as UDP. Yes in firewall , both TCP and UDP DNS queries are allowed. > Implement DNSSEC. I tried implementing dnssec using the following document http://blog.dustintrammell.com/2008/08/01/configuring-dnssec-in-bind/ After modifying named.conf for recursive server, i restarted named. Now named is working with dnssec enabled .But i am not able to verify the same. Kindly let me know how can we verify that dnssec is enabled and running , from the logs. Thanks in advance. Shiva Raman
_______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users