Use BIND's access-control settings to wrap up DNS security
You know the fundamentals of DNS security. You've properly distributed your DNS servers in different networks and in geographically diverse locations. You use BIND, the most widely used DNS software on the Internet, and use a version that doesn't have the recently discovered security vulnerabilities. (For information about these security holes, see the sidebar "Keep an Eye on BIND Bugs," page 42.) But using a distributed DNS service and a new BIND version doesn't mean that your DNS service is secure enough to resist attacks. To better protect your DNS service, you can use BIND's basic security functions: access-control settings that you can apply to a BIND DNS server's configuration file. These settings let you restrict recursion, enable forwarding, set up split DNS on one server, permit or reject queries, prevent communications with specific servers, restrict zone transfers and updates, and disguise which version of BIND you use. Before applying these settings, though, you need to be aware of the various versions of BIND.
BIND Versions
BIND has long been a popular method for Internet host name and IP address resolution. The Internet Software Consortium (ISC) develops and maintains BIND source codes, which you can download for free at ftp://ftp.isc.org. The three generations of BIND are BIND 4, BIND 8, and BIND 9; at the time of this writing, the most recent versions are BIND 4.9.8, BIND 8.2.4, and BIND 9.1.3, respectively. However, the ISC has announced that it will no longer actively maintain BIND 4, so if you use that version you might consider switching to BIND 8 or BIND 9.
BIND 8.2.3 and later offer many important features, such as dynamic DNS (DDNS), DNS Security (DNSSEC), Transaction Signature (TSIG), and incremental zone transfer (IXFR). BIND 8.2.3 and later also fix bugs—including the security holes that the CERT Coordination Center (CERT/CC) publicized—from earlier BIND versions. BIND 9.1.3 includes BIND 8.2.3 features plus support for IPv6, multiprocessors, and back-end third-party databases; better DNSSEC capabilities; new portability architecture; and a new View feature that lets you split DNS service on one DNS server. The newer BIND versions also provide better support for Windows 2000. (BIND runs mostly on UNIX and Linux platforms, but developers have ported BIND 8.2.3 and later to Win2K or Windows NT, so you can easily use BIND 8 on Win2K and NT systems, as the sidebar "BIND on Win2K or NT," explains. For information about BIND's support for Win2K, see "Integrating UNIX DNS and Windows 2000," February 2000.)
To tell a BIND DNS server how to behave, BIND uses a text-based configuration file, which is called named.conf in BIND 8 and BIND 9. (BIND 4's configuration file is called named.boot, but because BIND 4 is no longer supported, the examples in this article refer to named.conf.) BIND provides several basic but useful access-control settings that you can add to the file's various sections (e.g., options, zone) to secure your DNS service. Listing 1 shows a sample named.conf file.
Restrict or Prevent Recursion
By default, a BIND DNS server acts as a recursive resolver. (For the basics of how DNS works, see Michael D. Reilly, Getting Started with NT, "Domain Name Resolution with DNS," June 1999.) However, this functionality can lead to several problems. When a DNS client or another DNS server asks a BIND DNS server for a name lookup (e.g., the IP address of www.exampleco.com) and the BIND DNS server doesn't have that information in its local cache, the BIND DNS server tries to retrieve the information from other DNS servers. If the BIND DNS server receives bogus or poisoned information, it then spreads that bad information to the requesting client or server. Also, when your BIND DNS server is your Internet domain's authoritative server and provides domain information in response to external Internet queries, external Internet users can query other domains through your DNS server.
To minimize those problems, you can add a statement to the options section of the BIND DNS server's named.conf file to specify which clients can request a recursive query. For example, you can use the statement that Listing 2 shows to permit intranet hosts 192.168.10.0/24 and 192.168.11.0/24 to resolve Internet names through your Internet BIND DNS server.
Another option is to turn off the recursive functions of your BIND DNS server. To do so, you can add the statement that Listing 3 shows to the options section of the BIND DNS server's named.conf file. The code at callout A in Listing 3 prevents the server from using other DNS servers to resolve names. The code at callout B in Listing 3 stops the server from resolving other DNS servers' names in the Name Server (NS) records that it relays in response to external queries. When you disable your Internet BIND DNS server's recursive functionality, however, your internal DNS servers and users can no longer resolve Internet domain names through that server.