| Figure B |
 |
| Restricting a zone transfer to only 192.168.1.204 |
BIND, one of the most popular DNS servers on the Internet, can be found as the default DNS server for many Linux and UNIX distributions. As such, it is important to determine how to handle zone transfers on that platform as well. BIND's primary configuration takes places in the /etc/named.boot file. This is a text file with a number of directives that control how BIND will respond to various situations. BIND's default configuration, like Win2K's and WinNT's, allows a zone transfer to take place from anywhere. To secure your BIND server, you must open the /etc/named.boot file in a text editor and find the line marked "allow-transfer { any; };" which indicates that any IP address is allowed to get zone information. In this example, I want to allow zone transfers to take place only between my Red Hat 8 server, my Windows NT server with IP address 192.168.1.4, and another server with IP address 172.16.1.5. Therefore, I will change the allow-transfer line to read like the following:allow-transfer {192.168.1.4; 172.16.1.5; };
This example should work on BIND 8 and BIND 9 machines. If you are running BIND 4, consider upgrading, since BIND 4 is no longer under development and is outdated in a number of ways. Summary
Securing your DNS information from prying eyes may sound like a trivial task. But protecting this wealth of information from examination by the unscrupulous can help save your systems from targeted attacks. Restricting access to DNS information will help obscure your network to hackers and make it more difficult for the network to be compromised.
For a weekly round-up of the enterprise IT news, sign up for the
Enterpise newsletter. Find out what's where in the new Tech Update with our
Guided Tour. Tell us what you think in the
Enterprise Mailroom.
Enterpise newsletter. Find out what's where in the new Tech Update with our
Guided Tour. Tell us what you think in the
Enterprise Mailroom.
