Securing BIND Domain Name System (DNS)

Here is some of my advice on what would provide a more secure BIND:

  • Don’t use the BIND package that comes with your distribution of Linux; download the latest from BIND website (http://www.isc.org).
  • Place BIND in a chroot jail. This is the best thing to do to protect against remotely exploitable vulnerabilities in BIND that allow attackers to get a shell on the server running BIND. If you don’t chroot your version of BIND and such a vulnerability is discovered, your Linux server and all data on it may be compromised before you have the time to upgrade.
  • Always apply patches and upgrade BIND whenever a bug is discovered or a new version comes out.
  • Secure zone transfers between primary and secondary DNS servers using DNS Transaction Signatures (TSIG).
  • Disable recursion and glue fetching to defend against DNS cache poisoning.

Although BIND is more popular and easier to conigure, consider using TinyDNS, as it has proven to be more secure over the years.

Leave a Reply

Your email address will not be published. Required fields are marked *