How to secure your DNS server

by

Prabhu Balakrishnan
in

If you are running a DNS server (bind) on your own, chances are your dns will get a number of dns attacks from cache poisoning to dos attacks. It is very important to secure your dns server in as many ways as you can.

How to Secure your DNS Server

To secure your dns server all you need to do is just add the following lines to your /etc/named.conf file.

1. First you should know the 2 Ips of your dns server. Just open /etc/nameserverips and there you will get the 2 dns ips.

tail /etc/nameserverips

2. Open /etc/named.conf

Look for options { line and above it add these lines

acl “trusted” {
x.x.x.x;
y.y.y.y;
};

where x and y are your 2 dns ips in step (1).

3. Look for line

// query-source address * port 53;

below it , insert the following lines.

version “Bind”;
allow-recursion { trusted; };
allow-notify { trusted; };
allow-transfer { trusted; };

This will disable dns recursion (preventing your server to be open dns server), prevent zone transfers and notification all restricted to your DNS only and not to outside queries. The version will hide the bind version.

4. Prevent DNS Spoofing

If you are running bind 8.x or prior versions, then there is a possibility that your dns server is left unprotected from forged IPs. To prevent this from happening, add this one line in your options

Options {
use-id-pool yes;
}

Once all is complete, restart the named.

service named restart

For more added security, refer to this secure bind template

4. Once everything is done, you will need to check your dns server with online tools like dnsstuff for vulnerabilities.

http://www.pingability.com (free)
http://www.pweb.cz/en/dns-test/ (free)
http://www.intodns.com/ (free)
http://dnsstuff.com (paid)

Testing DNS server with Dig Commands

Dig command to test open dns server

dig @server www.example.com

If the server responds resolving the example.com and answers it with IP address, then it is open dns server and it responds to recursive dns queries. Remember this command should only be issued from a shell outside the network or perhaps from another different server.

Dig command to do Zone Transfer

dig domain.com axfr

If you are able to download zone records, then you must disable zone transfer.

Dig command to get version of Bind

Dont show the bind version and if you havent upgraded, it could be subjected to attacks.

dig @server -c CH -t txt version.bind

njoy!

About Author

Prabhu Balakrishnan

Founder of Corpocrat Magazine. He has 15+ years experience in computers, finance, banking, insurance and citizenship consulting. Expert in Linux servers, Machine learning and Crypto. He lives in Budapest, Hungary.