On 06/16/2014 02:15 PM, James wrote: > Hello, > > I'm reading up on how to secure DNS primary and secondary servers. > I guess DNSSEC is pretty important. Any other areas I should read > up on? It's been a few years since I admin'd a dns server....
The benefits of DNSSEC are debatable. We're moving the centralized trust from one group of scumbags (the CAs) to another group of scumbags (the registrars). So the benefits to authentication are not entirely clear-cut. But, DNSSEC will eventually allow us to do away with the SSL racket, and that can only improve security through the widespread adoption of encryption. So it's a good thing either way. There's a video of DJB at the 27c3 conference floating around where he discusses some of this stuff. Some of his points shouldn't be taken seriously, but it's entertaining nevertheless. > > Also, look for gentoo centric DNS primary solutions, I see > no mention of hardened, up-mounted or read only partitions, > etc etc. I wondering if anyone has some general suggestions > on how to keep a gentoo dns primary only machine secure. > Sven Vermeulen maintains some general suggestions here: http://dev.gentoo.org/~swift/docs/security_benchmarks/ > The iptables suggests seem trite and old. Which suggestion? For a DNS server, you probably want something like, iptables -P INPUT DROP iptables -A INPUT -p ALL -i lo -j ACCEPT iptables -A INPUT -p ALL -m conntrack --ctstate ESTABLISHED,RELATED \ -j ACCEPT iptables -A INPUT -p ALL -m conntrack --ctstate INVALID -j DROP # Allow SSH, up to you iptables -A INPUT -p tcp --dport 22 -j ACCEPT # And allow DNS traffic iptables -A INPUT -p udp --dport 53 -j ACCEPT iptables -A INPUT -p tcp --dport 53 -j ACCEPT
