[dns-operations] Best Practices in DNS security

Paul Vixie paul at vix.com
Thu Mar 16 19:58:06 UTC 2006

# Would this be what dnsreport.com has just recently added to their checkups, 
# and called "Open DNS server" test? 

most likely (i havn't checked that site though.)

# I have an odd situation, where my SOA server (for multiple domains) is also 
# the name server being used by my internal clients to resolve any public host 
# names (thus needing recursion enabled), and - consequently - possible to be 
# used by any other public resolvers/clients.

that's bad in two ways.

1. you should not run authority and recursion in the same name server even if
you can figure out how to ACL those services differently (your authority
service needs to be externally-reachable, your recursive service needs to be

2. your recursive service really can't be externally-reachable, no matter
whether you run it in the same server image as your authority service, or not.

# This makes it fail the test of what dnsreport calls "open dns server", and
# one thing I was thinking of was (aside from the fixes suggested above) to
# custom-build a content rule on my firewall (the name server is on the
# public-addressed, protected network, hanging out of one leg of the firewall
# - incorrectly, but a.k.a. DMZ), looking at payload of incoming DNS packets,
# from the public side, and denying external resolvers access to anything but
# SOA info.

that's very hard to do, and error-prone.  what you call SOA info means "any
data in your authority zones", and if you delegate subzones to non-local
servers then those queries would be recursive in nature.  this is a slippery
slope and you're better off running separate server images for recursive vs.
authority service, and ACL'ing them appropriately differently.

# Furthemore, if I want to move into the realm of firewalling at that layer
# (including analysis of payload), perhaps other things could be refined,
# without intervention on the DNS server, itself.
# Any comments on such an approach?

firewalls that look at content havn't worked out too well in my experience.

More information about the dns-operations mailing list