Saturday, January 1, 2011

Secure DNS accesses

You will need to restrict services as defined below. But pay a special attention to Dynamic updates if you are using or planning  to use them.

    

    allow udp 53 in from outside to dns server    [queries to your server]
    allow udp 53 in from dns server to outside    [queries from your server]
    allow tcp 53 in from secondaries or ISP server  to dns server [zone transfers from your server]
    allow tcp 53 out from dns server to outside [zone transfers from primaries, for which you are a secondary]
    
Note: queries normally use udp, but apparently also use tcp under load, so restrict queries to udp may cause headaches in some situations.

    If you want to enable dynamic updates, despite the additional risk, use TSIG for better authentication of hosts allowed to make updates. Always restrict updates via an ACL.


No comments: