DNS Configuration and Management Manual (G06.27+, H06.05+, J06.03+)
DNS Configuration on the NonStop Server
HP DNS Configuration and Management Manual—529432-003
3-9
Use ACLs
Assuming that you want to use DNS internally, you can apply a combination of the
following tools to secure the environment. (All of these tools are available in the
nonsecure DNS product on the NonStop system, in the /etc/dns923/ OSS directory.)
•
Use ACLs on page 3-9
•
Conceal the BIND Version on page 3-15
•
Protect the Configuration File: Restrict the Privilege of named and Run It in a
chroot-jail on page 3-15
•
Use TSIG on page 3-16
•
Configure Views on page 3-18
•
Use Firewalls and a Bastion Host on page 3-19
•
Use Public Key Cryptography: DNSSEC on page 3-20
Assuming that you want to connect your DNS environment to the Internet, HP strongly
recommends that you apply a robust security configuration and consider using a
combination of the preceding tools. In addition, HP recommends reading all pertinent
RFCs and
DNS and BIND 4th edition by Paul Albitz and Cricket Liu.
Use ACLs
By using access control lists, you can help address the security risks involved in
queries, zone transfers, and updates. (For information about these threats, see Zone
Transfer Threat on page 3-5, Dynamic Update Threat on page 3-6, and Remote Query
Threat on page 3-7.) ACLs rely on trust relationships between servers and clients.
An ACL restricts access to DNS information according to IP addresses. These
restrictions are still vulnerable to IP address spoofing (attacking nodes that assume the
IP address of a trusted node).
ACL transactions include:
Table 3-2. Possible Solutions for DNS Security Threats*
Type of Threat ACLs help?
Administrative
Techniques
help? TSIG helps?
DNSSEC
helps?
Denial of Service No No No No
Name Chaining
Attacks
No No Yes Yes
Cache Poisoning Yes No No No
Glue records No No No Partially
Dynamic update No No Yes Yes
Data corruption No Yes No No
* Source: RFC 3833 “Threat Analysis of the Domain Name System”