|
-
July 17th, 2002, 07:03 AM
#1
DNS Security
Ok- i have been studying DNS lately, and thought it would maybe be helpful to list some of the things you can do to secure your DNS, as well as some of the security issues with DNS so that you are all aware.
It should be known that there are 13 "root servers" whcih coordinate the data (ip->NAME) and allow users to find the server that IDs with what they want. one of these servers is called the "authoritative root" which has the master copy of that data file aka "root zone file". the other 12 have a copy of this file. the servers are located in 4 different countries and run a variety of os's etc for redundancy and protection against vulnerablility.
on to security issues:
-admins forget to update their root.hints file, which points the DNS to these 13 servers. The ip's of these 13 can change. be aware to update every-so-often
-Make sure to update BIND or any other DNS software you are using. estimated 12% of DNS (130 million est. DNS servers) are using DNS software with known vulnerabilities. These holes allow for buffer overflow, spoofing, and cache poisoning.
-finally, TURN OFF RECURSIVE QUERIES! recursive queries is when your DNS doesnt have an answer, so it goes to the next DNS in the tree and forwards you the answer. (as opposed to handing the query off to another DNS). the response from the second DNS (the one up the tree) can be spoofed pretty easily.
DNS security isnt that tough, and like most other things if you keep up with patches and updates you should be set. hopefully you all learned at least a little something.
-
July 17th, 2002, 10:33 AM
#2
dont know why u got negged for this...
i dont see any copy and paste and its not bad info
+greens
--NetSyN
[shadow]i have a herd of 1337 sheep[/shadow]
Worth should be judged on quality... Not apperance... Anyone can sell you **** inside a pretty box.. The only real gift then is the box..
-
July 17th, 2002, 01:05 PM
#3
There are some very important things you missed:
- Restrict zone transfers and blackhole reserved nets
acl mynets {
10.1.1.0/24;
10.1.2.0/24;
};
# note, i used 10 network for privacy above, it is a reserved net so is listed below
acl reservednets {
0.0.0.0/8;
1.0.0.0/8;
2.0.0.0/8;
192.0.2.0/24;
224.0.0.0/3; // multicast addresses
10.0.0.0/8;
172.16.0.0/12;
192.168.0.0/16;
};
options {
directory "path_to_named.data"; // location of db files
allow-query { any; };
allow-transfer { mynets; }; // xfers restricted to these zones
blackhole { reservednets; };
};
- Provide only the important things in your DNS records, like CNAME, A Records, MX records. Things like TXT records might provide extra info that isn't necessary.
- Disallow version requests
view "chaos" chaos {
match-clients { any; };
allow-query { none; };
zone "." {
type hint;
file "/dev/null";
};
};
All too often I see things like the above allowed...
Neb
There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.
(Merovingian - Matrix Reloaded)
-
July 17th, 2002, 01:25 PM
#4
sorry about missing the zone transfers issue. ill add that in, thanks, err you acctually said it better than i could.
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|
Reply With Quote
