On Fri, 9 Feb 2001, Daniel Hammer wrote:
> BS"D
>
> Hi,
>
> when setting up a DNS server and putting then a firewall
> in front of it (physically) may give some
> protection against attacks on other ports than 53!?
> Can anyone give me some hints what security measures I
> can take to protect my (Linux-) DNS server (maybe lines
> to add to /etc/named.conf or some online available material)?
>
> Thanx in advance,
>
> Daniel.
First I would filter all ports on the DNS server and only open those
necessary. These might include udp/tcp 53 to the world and ssh from select
internal hosts. Verify you are always running the latest version of BIND
(probably in the 9.x series) or possibly you have switched over to a
better solution (djbdns)[1].
You would also employ state based filtering to your DNS server so that you
could dynamically open return traffic and close it when the session
terminates. This would give you the benefit of filtering almost all
outbound traffic as well. In the event that your NS were ever compromised,
the attacker would have a hardtime getting more software onto your
machine. You would also have removed the compilers from your DNS server as
convenient as they may be.
In the event you are running BIND then you will only allow AXFR queries
from select hosts, namely your secondary servers. You might also log all
queries to see if someone if trying to poison your cache.
[1] djbdns, http://www.djbdns.org
.truman.boyes.
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
