Secure Installation of BIND
This document was written using BIND 8 (specifically 8.2.2-p5). It is possible that some of it's recommendations will not work for any version earlier than 8.2.2-p5. It would also be wise to not use any versions of BIND earlier than 8.2.2-p5. The reasoning behind this statement is that BIND has had security issues that result in total compromise of machines that host it, and Denial of Service attacks that prevent the name server from answering queries. At the time of writing there were seven known vulnerabilities in pre 8.2.2 versions of BIND, and a vulnerability in the way DNS is deployed that affects BIND 8.2.2 when you change your nameserver from one ip address to another.
Read the Article
|
Securing a BIND Internet Name Server
The goal of this document is to discuss general name server security. However, in order to provide useful examples we have chosen to focus on BIND since it is the most commonly used software for DNS servers.
Read the Article
|
Paul Vixie and David Conrad on BINDv9 and Internet Security
In this interview, Paul Vixie and David Conrad talk about the Internet Software Consortium, the changes in the latest major version of bind, the security features designed into it, and the future of Internet security.
Read the Article
|
Predictability of Windows DNS resolver
The main DNS security issues have very often focused on server side problems and vulnerabilities. This paper focuses on Windows client DNS service, also called DNS resolver. This paper explains how it is often possible to predict the "Transaction ID" and the "UDP port number" used by Windows' DNS Resolver. With this information it will be shown how it is possible, under certain conditions, to win the race against the regular DNS server and hijack, for example, a TCP/IP session. Even if this problem has been reported to Microsoft's security experts and we both agreed that there is no immediate threat or security vulnerability, it may be used to attack Windows LAN and WAN clients for example at startup. In WLAN too, which shares the medium and then is subjected to the well-known DNS attacks based on sniffing, this predictability increases the chances of being effectively attacked.
Read the Article
|
The Evolving Threats to the Availability and Security of the Domain Name Service (DNS)
The objective of this paper provide a concise overview of the role of the Domain Name Server (DNS) system among the essential components that comprise the Internet and the World Wide Web as we know it today. As well as examine the security related aspects of its operation and some of the key exploits that have been mounted in the last several years against the system and the services that it provides.
Read the Article
|
Installation of a Red Hat 9.0 server with DNS
This paper seeks to provide an edited account of the work done by the author to create a minimal-install, primary DNS server based on a Linux platform. The document includes some discussion as to why certain decisions were made and the reasons for the method used to build the system. There is a preliminary summary of this document, which outlines the rest of the documents content. Each section, that details the instructions for building the system, has information and discussion about the actions and decisions taken that are relevant to that section. However, the document is also designed to be a set of build instructions that can be followed to create a simple DNS server with security as a focus.
Read the Article
|
Security Issues with DNS
This document first reviews some basics about how DNS works, then goes into explaining the different ways a hacker can attack the DNS protocol implementation to use it to his own advantage. We will focus on the relationship between all the terms we hear, which are usually misemployed. We will then review the different possible server attacks and finish by explaining some of the ways that should be used to protect against these issues.
Read the Article
|
DNS, DNSSEC and the Future
The domain name system (DNS) is the means by which hosts find out the IP addresses of other machines from their universal resource locator. The key to DNS is its hierarchical nature that makes delegation so easy. It is very important to set-up and document the DNS with best practices firmly in mind or the corporate system will crumble. The aim is to mitigate the risks of mis-configuration and attack so down time is kept to a minimum or compensated for by reducing the single point of failure.
Read the Article
|
How Secure are the Root DNS Servers?
This paper is intended as an overview for a general audience. References and links are provided for those who want more technical insight. The purpose is to provide the current state of the root name server system and its operation. The reader will be left to do a final evaluation of the confidentiality, availability and integrity strength of the root name servers and the root name server system.
Read the Article
|
Why is securing DNS zone transfer necessary?
What can be done to secure your DNS information? DNS queries, zone transfers, and dynamic updates can be secured. This paper will focus on the reason for securing DNS zone transfers between DNS Name Servers. It will concentrate on the use of allow-transfer statement in Berkley Internet Name Domain (BIND) DNS to accomplish the goal of preventing DNS poisoning or spoofing.
Read the Article
|
