Detailed security linux dns services

A, DNS server security issues facing
1, DNS deception: cache poisoning, DNS information hijacking, DNS reset orientation, IP deception.
2, denial of service attacks.
3, buffer exploits
4, distributed denial of service attacks
5, buffer overflow exploits
6, insecure dynamic update
Second, configure the DNS server security
1, isolation DNS server
Travel on a single computer service and does not allow ordinary users to visit.



2, create a chroot for BIND
BIND can be installed, the chroot package installed, at this time, the system's DNS services will become the main directory / var / named / chroot
Can also achieve the following methods:
1), create a user, useradd dns-d / home / dns
2), the establishment of the corresponding directory mkdir-p / home / dns / var / log mkdir-p / home / dns / var / run
mkdir-p / home / dns / var / named mkdir-p / home / dns / etc
3), copy files cp / etc / named.conf / home / dns / etc /
cp-r / var / named / * / home / dns / var / named /
4), set the appropriate permissions chown-R dns: dns / home / dns
5), in order to run the DNS domain name server user / usr / local / sbin / named-t / home / dns-u dns

3, hidden BIND version number
Named.conf is defined in options (
version "tsinghua wang";
);
Can see themselves through each other's DNS or version information: named-v
nslookup-class = chaos-q = txt version.bind
dig @ sina_dns_server chaos txt version.bind

4, avoiding the disclosure of the information server
DNS server not to disclose other information, such as records, such as txt and hinfo

5, the closure of DNS server options glue fetching
Edit / etc / named.conf
options no-fetch-glue

6, control of regional transmission
DNS can be set in the ACL the way through to access or restrictions on transfer do.
acl "tsinghua-wang" (192.168.0.0/24; 221.6.136.6)
zone "myuan.com" (
type master;
file "myuan.com";
allow-transfer (tsinghau-wang;););
)
May or may not call the ACL, allow-transfer directly to keep up with the IP.

7, the request limit
Restrictions can be achieved through the request of some people only have access to DNS server resources
options (
allow-query (any;);
);
zone "myuan.com" (
type master;
file "myuan.com.zone";
allow-query (192.168.0.0/24;);

8, other enhancements

9, for the DNS server is configured DNS Flood Detector
DNS flood detector is a DNS server for SYN Flood attack detection tool to detect malicious DNS query
Package: dnsflood-1.08-1.i386.rpm
Command format: dns_flood_detector options
-i ifname: Interface of a monitor
-t N: number of queries per second warning when more than N.
-a N: After N seconds after the reset warning.
-w N: display the status of every N seconds.
-x N: the creation of N-buckets.
-b: After the implementation of the Taiwan model.
-d: to daemon mode.
-v: show more output.
-h: display used.
Cases: dns_flood_detector-b-v-v-t10
10, the establishment of a complete Domain Name Server
11, the establishment of DNS logs
12, enhanced DNS server to prevent the DOS / DDOS function
1), the use of SYN cookie
echo 1> / proc/sys/net/ipv4/tcp_syncookies
2), increasing backlog
echo 2048> / proc/sys/net/ipv4/tcp_max_syn_backlog
3), shortening the number of retries
echo "2"> / proc/sys/net/ipv4/tcp_synack_retries
4) to limit the frequency SYN
/ sbin / iptables-A INPUT-p tcp - tcp-flags SYN, ACK, FIN, RST SYN-m limit
- limit 30 / m - limit-burst 2-j ACCEPT

13, the use of distributed DNS load balancing
14, to guard against DNS server network
15, configure the firewall