Simple DNS Security

Simple DNS Security

DNS can reveal a lot about the nature of your domain. You should take some precautions to conceal some of the information for the sake of security.

Zone Transfer Protection

The host command does one DNS query at a time, but the dig command is much more powerful. When given the right parameters it can download the entire contents of your domain's zone file.

In this example, the AFXR zone transfer parameter is used to get the contents of the my-web-site.org zone file:

     [root@smallfry tmp]# dig my-web-site.org AXFR

     ; <<>> DiG 9.2.3 <<>> my-web-site.org AXFR
     ;; global options:  printcmd
     my-web-site.org.            3600    IN      SOA     www.my-web-
     site.org. hostmaster.my-web-site.org. 2004110701 3600 3600 3600 3600
     my-web-site.org.            3600    IN      NS      ns1.my-web-
     site.org.
     my-web-site.org.            3600    IN      MX      10 mail.my-web-
     site.org.
     192-168-1-96.my-web-site.org. 3600  IN      A       192.168.1.96
     192-168-1-97.my-web-site.org. 3600  IN      A       192.168.1.97
     192-168-1-98.my-web-site.org. 3600  IN      A       192.168.1.98
     bigboy.my-web-site.org.     3600    IN      A       192.168.1.100
     gateway.my-web-site.org.    3600    IN      A       192.168.1.1
     localhost.my-web-site.org.  3600    IN      A       127.0.0.1
     mail.my-web-site.org.       3600    IN      CNAME   www.my-web-
     site.org.
     ns1.my-web-site.org.        3600    IN      CNAME   www.my-web-
     site.org.
     ntp.my-web-site.org.        3600    IN      CNAME   www.my-web-
     site.org.
     smallfry.my-web-site.org.   3600    IN      A       192.168.1.102
     www.my-web-site.org.        3600    IN      A       192.168.1.100
     my-web-site.org.            3600    IN      SOA     www.my-web-
     site.org. hostmaster.my-web-site.org. 2004110701 3600 3600 3600 3600
     ;; Query time: 16 msec
     ;; SERVER: 192.168.1.100#53(192.168.1.100)
     ;; WHEN: Sun Nov 14 20:21:07 2004
     ;; XFR size: 16 records
     [root@smallfry tmp]#

This may not seem like an important security threat at first glance, but it is. Anyone can use this command to determine all your server's IP addresses and from the names determine what type of server it is and then launch an appropriate cyber attack.

In a simple home network, without master and slave servers, zone transfers should be disabled. You can do this by applying the allow-transfer directive to the global options section of your named.conf file.

     options {
         allow-transfer {none;};
     };

Once applied, your zone transfer test should fail.

     [root@smallfry tmp]# dig my-web-site.org AXFR
     ...
     ...
     ; <<>> DiG 9.2.3 <<>> my-web-site.org AXFR
     ;; global options:  printcmd
     ; Transfer failed.
     [root@smallfry tmp]#

Naming Convention Security

Your my-web-site.org domain will probably have a www and a mail subdomain, and they should remain obvious to all. You may want to adjust your DNS views so that to external users, your MySQL database server doesn't have the letters "DB" or "SQL" in the name, or that your firewall doesn't have the letters "FW" in its name either. This may be good for ease of reference within the company, but to the Internet these names provide rapid identification of the types of malicious exploits a hacker could use to break in. Web site security refers to anything that helps to guarantee the availability of the site; this is just one of many methods you can use.