[dns-operations] Best Practices in DNS security

[Todd Lyons]

On Thu, Mar 16, 2006 at 07:58:06PM +0000, Paul Vixie wrote:

># Would this be what dnsreport.com has just recently added to their checkups, 
># and called "Open DNS server" test? 
>most likely (i havn't checked that site though.)

I was working with that test just this past week to resolve one of our
customer's complaints.  With the ACL's below, I pass dnsreports tests
and recursive queries from outside get refused, even if it's in the
cache.  The downside is verbose logs with "query (cache) denied", but
that's ok for a while, I like knowing that a rule works.  I had to use a
combination of allow-recursion{} and allow-query{} to get it to do
exactly what seems to be right.

>1. you should not run authority and recursion in the same name server even if
>you can figure out how to ACL those services differently (your authority
>service needs to be externally-reachable, your recursive service needs to be
>internal-only.)

I'm trying to wrap my head around why ACL'ing those services differently
wouldn't be sufficient.  I don't see why this wouldn't meet your
criteria:

acl recurseallow { network/bits;
                   network2/bits; 
};
options { ...
	allow-query { recurseallow; };
	allow-recursion { recurseallow; };
};
zone "domain.com" in { ...
	allow-query { any; };
};

>2. your recursive service really can't be externally-reachable, no matter
>whether you run it in the same server image as your authority service, or not.

With the ACL, it's not.  I'm not necessarily looking for a reply that
says "You're wrong because..." but instead am looking for a reply that
says "Your ACL doesn't take into account scenario(s) $LIST".
-- 
Regards...		Todd
  We should not be building surveillance technology into standards.
  Law enforcement was not supposed to be easy.  Where it is easy, 
  it's called a police state.             -- Jeff Schiller on NANOG
Linux kernel 2.6.12-15mdksmp   1 user,  load average: 0.04, 0.08, 0.03