Restrict Access
You can use several other BIND statements to enhance the security of your DNS servers. To further protect an internal BIND DNS server, you can tell the server to accept queries only from specific addresses. In the example that Listing 6 shows, the server will accept queries only from clients on the networks 192.168.10.0/24 and 192.168.11.0/24.
This restriction, however, is difficult to use effectively on an external BIND DNS server because you typically don't know the clients that will request access to the server. But you can use similar statements in the named.conf file's options section to deny access to known bad users (provided that you know those users' IP addresses) or known bad servers. For example, if you know that a particular intruder often uses a source address in the range of 172.36.0.0/16 to attack your DNS server, you can include a blackhole statement, which Listing 7 shows, to deny the intruder's queries. When you know the address of a DNS server (e.g., 172.36.2.2) that you don't want your DNS server to communicate with, you can use the server statement that Listing 8 shows to prevent communication.
To permit only certain DNS servers (e.g., the secondary DNS servers 192.168 .10.10 and 198.168.11.10) to perform a zone transfer from a specific DNS server (e.g., the primary DNS server), you can add the statement that Listing 9 shows to the options section of the primary server's named.conf file. If you run a dynamic zone on your BIND DNS server, you can add a statement to named.conf's zone definition to restrict which clients (e.g., DHCP servers and Win2K computers) can dynamically update the zone. For example, the zone statement that Listing 10 shows permits systems on 192.168.10.0/24 to update the dynamic zone for exampleco.com.
Hide Your BIND
A server running a BIND version with known security vulnerabilities is a good target for an intruder. If you're too busy to upgrade your BIND server to BIND 8.2.3 or later or to BIND 9.x, you can add a statement to named.conf's options section to hide your BIND version or make it look like a new version. For example, the statement in Listing 11 can disguise an older version of BIND and make it appear to be BIND 8.2.4 to an intruder using the Dig command
dig @<yourdnsserver> chaos version.bind txt
(For information about the Dig utility in Win2K and NT, see the sidebar "Dig for DNS Information," page 44.)
Beyond the Basics
To raise the bar of Internet DNS service security, the ISC has incorporated the Internet Engineering Task Force (IETF) Internet DNS security protocol into BIND. In my next article, I'll discuss BIND's new DNSSEC and TSIG security functions and how they can help you further prevent DNS service security problems.
End of Article
