Name servers exposed to the Internet are subject to a wide variety of attacks:
• Attacks against the name server software may allow an intruder to compromise the server and take control of the host.
• Denial of service attacks, even one directed at a single DNS server, may affect an entire network by preventing users from translating hostnames into necessary IP addresses.
• Spoofing attacks that try to induce your name server to cache false resource records, and could lead unsuspecting users to unsavory sites.
• Information leakage from a seemingly innocent zone transfer could expose internal network topology information that can be used to plan further attacks.
• A name server could even be an unwitting participant in attacks on other sites.
How to Protect your Name Server ( Bind 8/9)
1. Restricting zone transfers
With BIND 8 or 9, use the allow-transfer sub statement, either at the server level :
options {
allow-transfer {192.168.4.154;};
};
or specific to a zone:
type master;
zone "example.com"{
file "db.example.com";
allow-transfer { 192.168.4.154;};
};
2. Authenticate zone transfer with TSIG ( Transaction Signatures)
TSIG uses a shared-secret cryptographic signature to authenticate authoritative zone data.
key tsig-signing. {
algorithm hmac-md5;
secret " Secret Key Here";
};
zone "example.com"{
type master;
file " db.xample.com";
allow-transfer { key tsig-signing;};
};
Correspondingly, the salve name servers must also contain the shared key:
key tsig-signing. {
algorithm hmac-md5;
secret " Secret Key Here";
};
server 192.168.4.47 {
transfer-format man-answers;
key { tsig-signing.;};
zone "example.com"{
type slave;
file " bak.xample.com";
allow-transfer { none;};
};
3. Run your name server as a user other than root ( BIND 8.1.2 and up).
4. Run your name server in a chroot() "jail"
Tuesday, April 1, 2008
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment