[dns-operations] Best Practices in DNS security

Netfortius netfortius at gmail.com
Thu Mar 16 18:49:19 UTC 2006 

On Thursday 16 March 2006 11:33, Paul Vixie wrote:
> # A few questions that will hopefully generate some discussion.
> #
> # What have you found is the most effective way to prevent recursive
> queries # from foreign address space against your DNS servers?. DNS ACLs,
> Firewall # ACLs or Router ACLs; have you found one of these to be more
> effective or # easier to manage?
>
> some answers based on my BIND9 experiences.
>
> i've found that the best thing to do is an allow-query directive listing
> the local address space.  firewalls can theoretically be better, but are
> usually harder to reconfigure when new "inside" address space is added.
>
> note that there is an allow-recursion ACL that doesn't do what most folks
> think it does.  this ACL will prevent recursion from being done on behalf
> of non-ACL-matching source addresses, but still gives access to authority
> data or previously-cached recursive data.  my advice is, don't use this.
>
> also note that if you run authority and recursion in the same server image
> (answering on the same ip address), there are a few cases where the server
> cannot follow the RFC's when generating answers, and is basically guessing.
> my advice is, don't do this.  allocate a separate IP address for recursive
> nameservice (as handed out by DHCP or listed in resolv.conf) other than the
> one used for authority name service (as listed in A RR's who are named in
> NS RR's.)

Would this be what dnsreport.com has just recently added to their checkups, 
and called "Open DNS server" test? 

I have an odd situation, where my SOA server (for multiple domains) is also 
the name server being used by my internal clients to resolve any public host 
names (thus needing recursion enabled), and - consequently - possible to be 
used by any other public resolvers/clients. This makes it fail the test of 
what dnsreport calls "open dns server", and one thing I was thinking of was 
(aside from the fixes suggested above) to custom-build a content rule on my 
firewall (the name server is on the public-addressed, protected network, 
hanging out of one leg of the firewall - incorrectly, but a.k.a. DMZ), 
looking at payload of incoming DNS packets, from the public side, and denying 
external resolvers access to anything but SOA info. Furthemore, if I want to 
move into the realm of firewalling at that layer (including analysis of 
payload), perhaps other things could be refined, without intervention on the 
DNS server, itself. 

Any comments on such an approach?

Thanks,
Stefan

More information about the dns-operations mailing list