Top 10 DNS Security Protection Techniques in Linux (1)

Bkjia.com exclusive Article] There are ten tips for protecting DNS Security in Linux.

1) restrict name server recursive query

Disabling recursive queries can enable the name server to enter the passive mode. When it sends a query request to an external DNS, it will only answer the query request for its authorized domain, instead of caching any external data, therefore, it is impossible to suffer from cache poisoning attacks, but such actions also have negative effects, reducing the speed and efficiency of DNS domain name resolution.

The following statement only allows recursive queries on hosts in the 172.1610 network segment:

allow-recusion {172.168.10.3/24; }

2) Restricted zone transfer)

If there is no restricted area transfer, the DNS server allows regional transmission for anyone. Therefore, the host name, Host IP list, router name, and Route IP list in the network architecture are supported, even the locations and hardware configurations of each host are easily controlled by intruders by setting in the DNS configuration file to restrict the hosts that can be transferred in the permitted regions, to some extent, information leakage can be mitigated. However, it should be noted that the problem cannot be fundamentally solved even if the whole zone is blocked, because attackers can use DNS tools to automatically query every IP address in the domain name space, so as to know which IP addresses have not been allocated, using these idle IP addresses, attackers can use IP spoofing to pretend to be a host in the system's trusted network for Request Zone Transfer.

The following statement only allows the hosts with IP addresses 172.1610.1 and 172.1610.2 to perform regional transmission with the DNS server:

acl list {  221.3.131.5;   221.3.131.6; zone "test.com" {   type master;   file "test.com ";   allow-transfer { list; }; }; };

3) query restrictions)

If anyone can send a request to the DNS server, this is unacceptable. It is very important to limit the scope of services of DNS servers, so that many intruders can be taken out of the door. Modify the BIND configuration file:/etc/named. add the following content to the conf file to limit that only the 210.10.0.0/8 and 211.10.0.0/8 CIDR blocks of the local server can be queried. You can use the following allow-query clause in the options statement:

options { allow-query { 210.10.0.0/8; 211.10.0.0/8;}; };

4) Separate DNSsplit DNS)

Uses the split DNS to separate DNS) technology to divide the DNS system into two parts: internal and external, the external DNS system is located in the public service area, responsible for normal external resolution; the internal DNS system is responsible for parsing hosts on the internal network. When you want to query domain names on the Internet, the query task is forwarded to the external DNS server, then, the external DNS server completes the query task. The advantage of dividing the DNS system into internal and external parts is that other users on the Internet can only see servers in the external DNS system, but not internal servers, and only exchange DNS query information between internal and external DNS servers, this ensures the security of the system. In addition, this technology can effectively prevent information leakage.

In BIND 9, you can use the view statement to separate DNS configurations. The view statement syntax is:

view view_name {     match-clients { address_match_list };     [ view_option; ...]     zone_statement; ... };

Where: bytes

◆ Match-clients: This clause is very important. It is used to specify who can see this view. You can use some options in the view statement.

◆ Zone_statement: This clause specifies the partition declaration visible in the current view. If the view statement is used in the configuration file, all the zone statements must appear in the view. For the same zone, the view configured for the Intranet should be placed before the view on the Internet.

The following is an example of using the view statement. It comes from the standard instruction document of BIND9:

View "internal" {match-clients {our-nets ;}; // Match the access of an Intranet Client Recursion yes; // Allow Intranet customers to perform recursive query zone "example.com "{ // Define the Zone Declaration visible to the Intranet Client Type master; file "example.com. hosts. internal "; }; }; View "external" {match-clients {any ;}; // Match the Internet client's access Recursion no; // Internet customers are not allowed to perform recursive query zone "example.com "{ // Define the Zone Declaration type master visible to Internet customers; File "example.com. hosts. external ";}; };

Next, create a zone file visible to the Intranet client in example.com. hosts. internal, and create a zone file visible to the Internet client in example.com. hosts. external. You can refer to the content described above based on your actual situation.