DNS Secure Configurations

Summary

This chapter introduced DNS security by categorizing the topic into administrative security, zone transfers, dynamic updates, and zone integrity. The first three topics are covered in this chapter; zone integrity using DNSSEC.bis is described in Chapter 11.

The administrative security discussion covered the selection and configuration of DNS servers and discussed software updating, limiting functionality, limiting permissions (including sandboxes or chroot jails), log streaming, and the use of multiple sources of both OS and DNS software to reduce the risks involved in running DNS systems. The packaged installation of a chroot jail on Linux Fedora Core 2 and FreeBSD was described, as well as the manual installation of a chroot jail in the absence of an available package.

The chapter described the use of cryptographic techniques to secure various transactions. The various techniques were described in outline for readers unfamiliar with general cryptographic processes, including symmetric (shared-secret) systems, asymmetric (public-key) systems, message digests, MACs, and digital signatures.

The use of simple BIND statements to secure zone transfers using IP addresses and the use of TSIG (shared-secret) transactions to secure zone transfers was described and illustrated with example files.

The chapter described, with examples, the use of BIND commands to secure dynamic updates using IP addresses. Both SIG(0), using public-key or asymmetric cryptographic techniques, and TSIG (shared-secret) methods to secure dynamic updates were described and again illustrated with example files and configurations.

The next chapter describes the design intent and implementation of DNSSEC (colloquially referred to as DNSSEC.bis) to ensure the source and integrity of zone data during normal query operations.