Michael Orlitzky <mjo <at> gentoo.org> writes: > > On 06/16/2014 02:15 PM, James wrote: > > Hello, > > > > I'm reading up on how to secure DNS primary and secondary servers. > > I guess DNSSEC is pretty important. Any other areas I should read > > up on? It's been a few years since I admin'd a dns server.... > > The benefits of DNSSEC are debatable. We're moving the centralized trust > from one group of scumbags (the CAs) to another group of scumbags (the > registrars). So the benefits to authentication are not entirely clear-cut. > > But, DNSSEC will eventually allow us to do away with the SSL racket, and > that can only improve security through the widespread adoption of > encryption. So it's a good thing either way.
I'm just reading at this point. Listening to follks too. I have formed no options (yet). Here is a nice, general listing: [1] http://csrc.nist.gov/groups/SMA/fasp/documents/network_security/NISTSecuringDNS/NISTSecuringDNS.htm > There's a video of DJB at the 27c3 conference floating around where he > discusses some of this stuff. Some of his points shouldn't be taken > seriously, but it's entertaining nevertheless. I thought DJB was mostly deprecated. He's still preaching dns security, yet does not update his offernings? Interestingly strange. > > Also, look for gentoo centric DNS primary solutions, I see > > no mention of hardened, up-mounted or read only partitions, > > etc etc. I wondering if anyone has some general suggestions > > on how to keep a gentoo dns primary only machine secure. > > > > Sven Vermeulen maintains some general suggestions here: > > http://dev.gentoo.org/~swift/docs/security_benchmarks/ Sven is great. So just the generic hardened remedies, nothing special to DNS servers or services, from my quick parse of his documents on hardened? Sven's also into "selinux". I see no selinux policies or rules. Maybe I should drop him a line about selinux related to dns primary servers? Surely a selinux policy for a primary only selinux dns server would been keen? Not needed ? Overkill ? I was going to read up a bit, before asking him questions I should have discovered from robust research on the subject...... > > The iptables suggests seem trite and old. > Which suggestion? For a DNS server, you probably want something like, > > iptables -P INPUT DROP > iptables -A INPUT -p ALL -i lo -j ACCEPT > iptables -A INPUT -p ALL -m conntrack --ctstate ESTABLISHED,RELATED \ > -j ACCEPT > iptables -A INPUT -p ALL -m conntrack --ctstate INVALID -j DROP > # Allow SSH, up to you > iptables -A INPUT -p tcp --dport 22 -j ACCEPT > # And allow DNS traffic > iptables -A INPUT -p udp --dport 53 -j ACCEPT > iptables -A INPUT -p tcp --dport 53 -j ACCEPT Ah, you've added to this iptables listing: http://wiki.gentoo.org/wiki/BIND/Tutorial So, I am looking for a minimal listing of flags that is sufficient for a dns primary server, ssh and only necessary other services (make.conf). I'm thinking there should be tremendously reduced set of C libraries so as to remove potential issues found on other services, or a secure, blessed C library commonly used for ultra tight servers. I was also thinking of not mounting some partitions rw, but r only so a manual reboot would be need to modify settings critical to security on the primary server. Good idea? Other similar ideas? "eix dns" revels many servers, tools and complimentary softwares. also, /usr/portage/net-dns/ has some ebuilds not discovered by eix. Any recommended or useful for dns security issues? Any guidance of those? secure dns servers: sheerdns, maradns TOOLS to test the security of a dns server? fpdns, dnscap, validns, dnstop (with alarms or logging?) dnshijacker, dnscap, dnstracer, etc etc? New, relevant DNS RFC's ? It's more ideas on subjects I should read up on, or specifically targeted responses from those current on dns security issues, like ISP that practice dns-hijacking for their selfished desires and expose others in the process: [2] http://en.wikipedia.org/wiki/DNS_hijacking#Manipulation_by_ISPs CERT. I did find this singular issue: Alert (TA13-088A) DNS Amplification Attacks [3] https://www.us-cert.gov/ncas/alerts/TA13-088A And this compreshensive listing of dns server issues: http://search.us-cert.gov/search?utf8=✓&affiliate=us-cert&query=all+dns+server+alerts&commit=Search As well as a current listing of dns server issues, which is currently empty? Anyone and Everyone is encouraged to "chime in" on dns server security issues, particularly related to the primary servers issues and protection strategies. James
