Protecting a Name Server from Spoofing

7.15.1 Problem

You want to protect a name server from spoofing attacks.

7.15.2 Solution

On a BIND 8.2 or later name server, set the use-id-pool options substatement to yes. This tells the name server to use better, optional randomization routines to choose message IDs for the header of DNS queries. This makes the message IDs harder to guess, and, therefore, it is more difficult to spoof a response to those queries. (On a BIND 9 name server, you don't need use-id-pool since the better randomization routines are now standard.)

Also, use the allow-recursion options substatement, as described in Section 7.12, to restrict which networks the name server will accept recursive queries from. If it doesn't accept recursive queries from arbitrary addresses on the Internet, hackers will find it harder to induce the name server to query name servers under their control and thereby poison its cache.

Finally, you might use the technique introduced in Section 7.7, configuring the name server as authoritative for important internal zones. The name server will ignore records from your internal zones in answers from remote name servers, making it hard for a hacker to spoof data in those zones.

7.15.3 Discussion

If the name server doesn't serve any recursive queriers, of course, configure it as authoritative-only name server, as described in Section 7.6.

7.15.4 See Also

Section 7.7 for loading internal zones and Section 7.12 for use of the allow-recursion substatement, or Section 7.6 for configuring an authoritative-only name server.

Категории