DNS Configuration and Management Manual (G06.27+, H06.05+, J06.03+)
DNS Configuration on the NonStop Server
HP DNS Configuration and Management Manual—529432-003
3-10
Use ACLs
•
Queries—By default, a DNS server answers recursive queries from any node. In
some cases, this arrangement may expose the name server to denial-of-service
attacks from the Internet, where a malicious user floods the name server with
recursive queries.
•
Zone Transfers—By default, a DNS server sends the contents of its zone
databases to any node that requests this content. In some cases, attackers can
use this information to determine your infrastructure or the addresses of routers
and other machines vulnerable to attack. To avoid this problem, you can restrict
zone transfers to the other servers in the zone.
Although IP-based ACLs are relatively easy to subvert, they are much better than
nothing and require very little work. If you were to run with multiple masters and no
slaves, you would eliminate the threat entirely.
•
Updates—By default, a DNS server does not accept any requests to update its
resource records. However, you may want a DNS server to accept updates from
specific systems, such as DHCP servers.
If you are using Dynamic DNS, the DHCP server sends update requests to the
DNS server that map the client host names to dynamically assigned IP addresses.
See Dynamic Update
on page 2-4.