[dns-operations] Best Practices

Scott Rose scottr at nist.gov
Fri Jun 14 15:21:53 UTC 2013

In the US Federal Gov, we have the NIST SP 800-81 (http://csrc.nist.gov/publications/nistpubs/800-81r1/sp-800-81r1.pdf) and DISA Secure Template Implementation Guide (STIGs) (http://www.stigviewer.com/stigs).  Not as comprehensive as what you describe, but covers what basic DNS admins should be aware of with the focus on security.  Some things were considered too low level (like port randomization) and left out since the admin would likely assume it is baked into the implementation and not something they can configure.

STIGs are way lower level (i.e. command line cookbooks) used to train operators, but have some information as to the "why".  and have a set of checks broken down by system classification (example, the "DNS Policy" checklist): http://www.stigviewer.com/stig/48ccf31b1a3c7aa12ee38de8ef3c08467003ebb0/MAC1PublicProfile/

It's some starting material that may be useful so you don't have to re-invent everything,

On Jun 14, 2013, at 11:07 AM, Chip Marshall wrote:

> There was some talk at a recent meeting about establishing some
> best practices for operating a DNS server. I'm curious if anyone
> is running with this, and if not, if this would be a good forum
> to start working on such a project.
> I know there are some IETF documents around best practices for
> things like DNSSEC, but to the best of my knowledge there's not a
> good repository for things like RRL, making sure your recursive
> resolver isn't open, ensuring source port randomization (I know I
> still see a lot of source 53 queries) and so on.
> -- 
> Chip Marshall <chip at 2bithacker.net>
> http://2bithacker.net/
> <ATT00001><ATT00002.c>

Scott Rose
scott.rose at nist.gov
+1 301-975-8439
Google Voice: +1 571-249-3671

More information about the dns-operations mailing list