Networking / Beginners

Elements of DNS

The following sets of configuration guidelines are broad enough to address basic elements of DNS. Specific configuration steps can be found in the help or man pages. A detailed Bind configuration is also available from Rob Thomas at the CYMRU site, http://www.cymru.com/Documents/secure-bind-template.html.

  • Ensure that the most up-to-date version and patches are running.
  • Restrict dynamic updates in BIND 8 configuration and Microsoft Active Directory.
  • Restrict zone transfers:
    • Set the allow-transfer option in BIND 8 to a specific host (delegation down to the zone within the host can be done as well).
    • Check "only allow access from secondaries included on notify list" in Microsoft DNS.
  • Disable recursive checks and retrieval attempts:
    • In BIND 4 and 8 set "recursion" and "fetch-glue" options to NO.
    • In Microsoft create the DWORD value and set to 1 (recursion disabled = true) for the key HKLM\SYSTEM\CurrentControlSet\Services\DNS\Parameters\NoRecursion.
  • Restrict queries in BIND 8 by setting an ACL for "allow-query" with those allowed for the appropriate zone.
  • Similarly restrict recursive queries by setting an ACL for "allow-recursion."
[Previous] [Contents] [Next]