NetworkConsultant01
asked on
How can I build a secure bind server that just forwards
I would like to create a Linux server that only runs bind and the only thing it does is forwards DNS to other DNS IP addresses. So basically user has their DNS set to the public IP of this DNS server which when hit sends all requests to another DNS server IP.
Can someone provide some direction on this, I have a decent amount of Linux experience but my bind knowledge is limited.
Can someone provide some direction on this, I have a decent amount of Linux experience but my bind knowledge is limited.
ASKER
Have not picked one out I would like to use CentOS or Debian, my experiance with bind in the past was not plesant so a more step by step approach would be best for me =\
With debian getting a forwarding server up is as simple as:
apt-get install bind9
and then editing /etc/bind/named.conf.optio ns
and uncommenting the forwarders section, inserting your forwarding IP addresses. Then edit, in the same file the listen-on or listen-on-v6 to make it listen only on the ip you want it to listen on. With centos it shouldn't be too different. This will get you up and running with the basics. To secure it from there will depend on your situation.
You say "set to the *public* IP of this DNS server". Does that mean this DNS server will be live on the net and the people that will query it will not be on the Internet, or will they all be on a controlled internal LAN?
apt-get install bind9
and then editing /etc/bind/named.conf.optio
and uncommenting the forwarders section, inserting your forwarding IP addresses. Then edit, in the same file the listen-on or listen-on-v6 to make it listen only on the ip you want it to listen on. With centos it shouldn't be too different. This will get you up and running with the basics. To secure it from there will depend on your situation.
You say "set to the *public* IP of this DNS server". Does that mean this DNS server will be live on the net and the people that will query it will not be on the Internet, or will they all be on a controlled internal LAN?
That question should read:
"will be on the Internet", not "will not be on the Internet"
"will be on the Internet", not "will not be on the Internet"
ASKER
This DNS server will only be available via the internet, not by any LAN. Unfortunatly I will not be able to lock it down to allow only certain or a range of IPs to use it so anyone (if they find it) will be able to use it. So with that, I want to make the system as secure as possible with regard to the OS itself and the exposure on the internet.
Step one would obviously be to install a firewall onto it and only opening what you want on the server. Typically that would be bind, icmp ping and ssh. If you do open ssh, consider changing the port it listens on. So far as bind is concerned, have a look at this doc:
http://www.cert.org/archive/pdf/dns.pdf
It describes a lot of other types of name services which does not apply to your forward-only setup too, but you can filter the contents to that which apply to your situation.
http://www.cert.org/archive/pdf/dns.pdf
It describes a lot of other types of name services which does not apply to your forward-only setup too, but you can filter the contents to that which apply to your situation.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
OK I picked Debian 5.0 and used the following guide to setup bind http://www.dmo.ca/blog/20081009143754
Now, if I uncomment the forwarded section in /etc/bind/named.conf.optio ns bind won't start
Am I editing the wrong file?
Now, if I uncomment the forwarded section in /etc/bind/named.conf.optio
Am I editing the wrong file?
ASKER
Er, never mind, I was doing it wrong, going to do some testing now.
The two best starting points for making it secure is to allow it only to bind to the internal lan, and to firewall the traffic so that only the lan can get to it. That usually rules out most of the problems you might get.
What distro are you using?