DNS hardening and often seen configuration errors

DNS hardening and often seen configuration errors
The following DNS tips shows some often seen DNS configuration errors and some important security options, which are easy to implement. Common Errors SOA, MX and CNAME record points to a CNAME record CNAME record usage is a bit controversial. Iit's safe to follow the rule that a *MX, CNAME or SOA record should never* refer to a CNAME record*, they should only refer to something with an A record, look at the next example. Correct is (marked in blue color), because ns.mydom.tld* and www points to an A record. @ IN SOA ns.mydom.tld. hostmaster.mydom.tld. ( 199802151 ; serial 8H ; refresh 2H ; retry 4W ; expire 1D ) ; minimum NS ns.friend.tld. MX 10 mail.mydom.tld. ; 1. Mail Exchanger MX 20 mail.friend.tld. ; 2. Mail Exchanger localhost A 127.0.0.1 ns A 192.168.196.2 MX 10 mail MX 20 mail.friend.tld. www CNAME ns ; OK dns CNAME ns ; OK Wrong is the following, the SOA and CNAME records point to another CNAME. @ IN SOA dns.mydom.tld. hostmaster.mydom.tld. ( ; Wrong ! ..... ) foobar CNAME www ; Wrong ! Security improvements Restricting zone transfers In order for your slave server(s) to be able to answer queries about your domain, they must be able to transfer the zone information from your primary server. Very few others have a need to do so. Therefore restrict zone transfers using the allow-transfer option only to your slave name servers. allow-transfer { // Restrict zone transfer only to 193.146.352.6; // My Secondary Nameserver 196.247.274.121; // My Third Nameserver }; Hide DNS Version It's a good idea to hide the version of your DNS server version "DNS Server Akadia"; // Hide bind version Protecting against spoofing Firstly, disable any queries for domains you don't own, except from your internal/local machines. Allow queries only for your managed domains. This not only helps prevent malicious use of your DNS server, but also reduces unnecessary use of your server. options { allow-query { // Disable any queries we don't own 196.247.274.121/28; // Queries from DMZ are OK 192.168.136.0/24; // Queries from HSZ are OK localhost; // Local Queries are OK }; }; zone "akadia.ch" { type master; file "akadia-ch.zone"; allow-query { any; }; // Allow queries for this domain };

DNS hardening and often seen configuration errors

The following DNS tips shows some often seen DNS configuration errors and some important security options, which are easy to implement.

Common Errors

CNAME record usage is a bit controversial. Iit's safe to follow the rule that a MX, CNAME or SOA record should never refer to a CNAME record, they should only refer to something with an A record, look at the next example.

Correct is (marked in blue color), because ns.mydom.tld and www points to an A record.

@ IN SOA     ns.mydom.tld. hostmaster.mydom.tld. (
                        199802151       ; serial
                        8H              ; refresh
                        2H              ; retry
                        4W              ; expire
                        1D )            ; minimum

                NS      ns.friend.tld.
                MX      10 mail.mydom.tld. ; 1. Mail Exchanger
                MX      20 mail.friend.tld. ; 2. Mail Exchanger

localhost       A       127.0.0.1

ns              A       192.168.196.2
                MX      10 mail
                MX      20 mail.friend.tld.
www             CNAME   ns   ; OK
dns             CNAME   ns   ; OK

Wrong is the following, the SOA and CNAME records point to another CNAME.

@ IN SOA     dns.mydom.tld. hostmaster.mydom.tld. ( ; Wrong !
                        .....
                        )

foobar CNAME www ; Wrong !

Security improvements

In order for your slave server(s) to be able to answer queries about your domain, they must be able to transfer the zone information from your primary server. Very few others have a need to do so. Therefore restrict zone transfers using the allow-transfer option only to your slave name servers.

allow-transfer {     // Restrict zone transfer only to
   193.146.352.6;    // My Secondary Nameserver
   196.247.274.121; // My Third Nameserver
};

It's a good idea to hide the version of your DNS server

version "DNS Server Akadia"; // Hide bind version

Firstly, disable any queries for domains you don't own, except from your internal/local machines. Allow queries only for your managed domains. This not only helps prevent malicious use of your DNS server, but also reduces unnecessary use of your server.

options {
    allow-query {           // Disable any queries we don't own
       196.247.274.121/28;   // Queries from DMZ are OK
       192.168.136.0/24;     // Queries from HSZ are OK
       localhost;            // Local Queries are OK
    };
};

zone "akadia.ch" {
      type master;
      file "akadia-ch.zone";
      allow-query { any; };    // Allow queries for this domain
};