Securing Name Servers on UNIX

Slave name servers perform a zone transfer from the master name server to update their zone database. By default, the master name server will permit zone transfer requests by any host. This does not strictly fall in the category of vulnerabilities. However, the name server contains valuable information about network resources. Information such as the host names, number of hosts, textual information on the hosts (HINFO, TXT) and names of mail servers is made available in zone transfers. Hence, it provides the intruder with intelligence information that can be utilized to launch other types of attacks on an enterprise.

Dynamic updates are associated with BIND versions 8 and later only. Dynamic updates do not apply to the BIND 4 series. The dynamic update feature allows authorized hosts to update the zone records of a name server. If improperly configured, an intruder may be able to add/delete/replace the records for a zone.

This falls more in the category of misuse or abuse of the name server by individuals outside your organization. To put it simply, anyone on the Internet can use your name server to perform recursive queries. This can cause your name server to become extremely busy in responding to everyone else's queries. Additionally, everyone on the Internet will be using your bandwidth to do so. Furthermore, this is related to the cache-poisoning vulnerability.

Figure 1

This section focuses on measures that name-server administrators can take to secure their DNS environment on UNIX. Figure 1 displays a flow-chart-based approach to securing BIND. The following measures, when implemented properly, will assist in securing BIND.

The system syslog files contain information about the current version of BIND a system is running. The BIND 8 series provides greater granularity in defining ACLs (access control lists) and configuring the name server. More specifically, BIND 8 series is preferred over BIND 4. Using the most current version of BIND 8 series will protect against the cache poisoning, inverse query buffer overrun and the denial of service vulnerabilities.

BIND provides configuration options to restrict zone transfers. By default, Zone transfer is enabled and anyone can perform zone transfers against the name server database. The ls {domain_name} command in nslookup facilitates this. To restrict zone transfers, use the allow-transfer and xfernets configuration statements in BIND version 8 and 4.9, respectively.

This is necessary to restrict the hosts that can query the name server. In particular, this is useful for zones internal to an organization. Furthermore, restricting queries minimizes exposure to the cache-poisoning vulnerability. By default, BIND permits anyone to query, even for zones for which a name server is not authoritative. Only BIND 8 provides ACLs for queries. The BIND 8 configuration statement allow-query is used to define the ACL for queries based on IP addresses.

If recursion is not desired, it is best to disable it. Such non-recursive servers are responsible for answering queries for the zones for which they are authoritative. In addition, these servers are difficult to spoof because the server does not cache any data. Most often, internal clients send a recursive query to the name server. In such cases, recursion may be desired and must be enabled. Such servers must permit recursion and establish ACLs on queries (allow-query).

Dynamic updates are a feature of BIND 8. By default, BIND 8 disables dynamic updates. If dynamic updates are required, such updates should be restricted to individual IP addresses rather than network addresses. The allow-update configuration statement defines the addresses from which a server will accept updates.