By Kurt Seifried Rev 0.1
Securing specific services - DNS (S07.C05)
DNS is an extremely important service for most networks. It also requires connections coming in from the outside world, and due to the nature and structure of DNS the information DNS servers claim to have may not be true. The main provider of DNS server software (named, the de facto standard) is currently looking at adding a form dns information authentication (basically using rsa to cyrpto graphically sign the data, prooving it is 'true').
Problems with Bind 4.X and RedHat 'out of the box':
If you're going to run Bind, minimally upgrade to 8.1.2 (latest), 4.X has several nasty holes, as well as just being generally more insecure. Bind 8.X has a much more powerful and secure configuration file (named.conf).
Since DNS is a requirement for almost anyone running a server the best thing to do is chroot it, and run it as a non root user. Thus if someone breaks in they will have a MUCH harder time actually cracking open the system. My paper on chrooting Bind is here.
Securing DHCPD | Back to Section 7
Contact Kurt Seifried, All rights reserved Kurt Seifried 1998, content and information may not be reposted physically or electronically without the express permission of the author, this includes but is not limited to www mirror sites, email, usenet news, etc.