DNS Configuration and Management Manual (G06.27+, H06.05+, J06.03+)
DNS Configuration on the NonStop Server
HP DNS Configuration and Management Manual—529432-003
3-15
Conceal the BIND Version
transfer directive once in the options statement instead of repeating it for each
zone:
options {
allow-transfer { dns-servers; };
};
Conceal the BIND Version
By default, your name server returns its BIND version information to version.bind
queries. Knowing which version of BIND you are running can enable a hacker to tailor
attacks to your system, so HP recommends that you use the
options version sub
statement to override the version information with an alternate phrase as shown:
options {
version “Restricted”;
}
To configure your name server either not to return anything when queried for its
version, or to provide version information to authorized requestors, see the
DNS and
BIND 4th edition by Paul Albitz and Cricket Liu which provides information about this
more complex procedure.
Protect the Configuration File: Restrict the Privilege of named
and Run It in a chroot-jail
As noted previously, the named.conf file can contain interesting data to an intruder.
The
named demon usually runs with privileged access, which increases the security
risk if any vulnerabilities are found. To decrease this risk run
named as a nonprivileged
user and put its files in a restricted file system called a chroot-jail. A chroot-jail contains
any intrusions. A successful attack on
named in a chroot jail running as a nonprivileged
user allows the attacker to modify only files owned or writeable by that nonprivileged
user and protects the rest of the system.
Note. This solution is not completely secure because a rogue system could spoof one of the
slave servers and obtain a zone update by using the slave server's IP address.