On 08/08/2010 11:29:52, Shiva Raman wrote:
I am running Bind caching and bind authoritative servers with current
9.7 version. I would like
to know the steps to be followed to protect bind from DNS Cache poisoning.
The bind DNS server
is running behind the firewall which allows only DNS queries .
Run an up-to-date version of bind. Be fanatical about applying security
patches promptly.
Don't allow recursion /at all/ for queries from the general public to
your authoritative servers, nor permit authoritative servers to send
additional data from cache.
Permit only your trusted clients to make recursive queries through your
recursive servers.
If you have sufficient DNS traffic to warrant it, it is very good to run
completely separate instances of bind as authoritative and recursive
servers -- use of virtualization techniques like FreeBSD jails can help
reduce hardware costs.
Otherwise, make use of the views feature to control who may or may not
perform recursive queries via your servers.
Allow bind to use as wide a range of port numbers as possible for UDP
traffic.
Make sure your firewalls don't do daft things like forcing any DNS
traffic to come from a limited range of source ports, or blocking large
UDP packets or EDNS. Allow DNS queries over TCP as well as UDP.
Implement DNSSEC.
Cheers,
Matthew
--
Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard
Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate
JID: matt...@infracaninophile.co.uk Kent, CT11 9PW
signature.asc
Description: OpenPGP digital signature
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
