Solved

How can I build a secure bind server that just forwards

Posted on 2009-04-07
10
277 Views
Last Modified: 2013-12-16
I would like to create a Linux server that only runs bind and the only thing it does is forwards DNS to other DNS IP addresses. So basically user has their DNS set to the public IP of this DNS server which when hit sends all requests to another DNS server IP.

Can someone provide some direction on this, I have a decent amount of Linux experience but my bind knowledge is limited.
0
Comment
Question by:NetworkConsultant01
  • 5
  • 4
10 Comments
 
LVL 7

Expert Comment

by:Morne Lategan
ID: 24092981
Most bind installations does that by default.

The two best starting points for making it secure is to allow it only to bind to the internal lan, and to firewall the traffic so that only the lan can get to it. That usually rules out most of the problems you might get.

What distro are you using?
0
 
LVL 1

Author Comment

by:NetworkConsultant01
ID: 24093001
Have not picked one out I would like to use CentOS or Debian, my experiance with bind in the past was not plesant so a more step by step approach would be best for me =\
0
 
LVL 7

Expert Comment

by:Morne Lategan
ID: 24093050
With debian getting a forwarding server up is as simple as:

apt-get install bind9

and then editing /etc/bind/named.conf.options

and uncommenting the forwarders section, inserting your forwarding IP addresses. Then edit, in the same file the listen-on or listen-on-v6 to make it listen only on the ip you want it to listen on. With centos it shouldn't be too different. This will get you up and running with the basics. To secure it from there will depend on your situation.

You say "set to the *public* IP of this DNS server". Does that mean this DNS server will be live on the net and the people that will query it will not be on the Internet, or will they all be on a controlled internal LAN?
0
 
LVL 7

Expert Comment

by:Morne Lategan
ID: 24093059
That question should read:

"will be on the Internet", not "will not be on the Internet"
0
DevOps Toolchain Recommendations

Read this Gartner Research Note and discover how your IT organization can automate and optimize DevOps processes using a toolchain architecture.

 
LVL 1

Author Comment

by:NetworkConsultant01
ID: 24093062
This DNS server will only be available via the internet, not by any LAN. Unfortunatly I will not be able to lock it down to allow only certain or a range of IPs to use it so anyone (if they find it) will be able to use it. So with that, I want to make the system as secure as possible with regard to the OS itself and the exposure on the internet.
0
 
LVL 7

Expert Comment

by:Morne Lategan
ID: 24093117
Step one would obviously be to install a firewall onto it and only opening what you want on the server. Typically that would be bind, icmp ping and ssh. If you do open ssh, consider changing the port it listens on. So far as bind is concerned, have a look at this doc:

http://www.cert.org/archive/pdf/dns.pdf

It describes a lot of other types of name services which does not apply to your forward-only setup too, but you can filter the contents to that which apply to your situation.
0
 
LVL 7

Accepted Solution

by:
Morne Lategan earned 500 total points
ID: 24093187
Also make sure you install an absolute bare-bone system. After installing, do a check to see what ports have services on them:

netstat -nlp |more

Uninstall everything that's listening on a port other than bind (and ssh if you wish).

Also uninstall any compilers such as gcc g++ etc to make it harder for a potential hacker to compile his tools. Try running bind in a chroot jail:

http://www.falkotimme.com/howtos/debian_bind_chroot/
http://tldp.org/HOWTO/Chroot-BIND-HOWTO.html

As you can see, your focus will be more on securing the box itself than securing bind. You can rest assured that bind 9 is in its own right a rather secure beast and for forwarding-only servers there's not THAT much that you can do. The 3 or 4 things mentioned in the doc provided before is about it.

0
 
LVL 1

Author Comment

by:NetworkConsultant01
ID: 24100542
OK I picked Debian 5.0 and used the following guide to setup bind http://www.dmo.ca/blog/20081009143754

Now, if I uncomment the forwarded section in /etc/bind/named.conf.options bind won't start

Am I editing the wrong file?
0
 
LVL 1

Author Comment

by:NetworkConsultant01
ID: 24100632
Er, never mind, I was doing it wrong, going to do some testing now.
0

Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Squid Connection Pools 3 47
Determine Who is Runnig my Bash Shell Script 4 65
Error Message during CentOS 7 Minimal Install 3 34
VMware Workstation 12 Player 16 42
If you have a multi-homed DNS setup in windows, you can have issues with connectivity to the server that hosts the DNS services (or even member servers of your domain if this same DNS server is a DC). This is because windows registers all of its IPs…
I will assume you are running a non-server version of some sort of Windows throughout this article. There are many flavors of Windows since Windows Server 2000 - 2008, XP Home & Pro, Vista Home & Pro, and Windows 7 Starter, Home, Pro, Ultimate, etc.…
Learn several ways to interact with files and get file information from the bash shell. ls lists the contents of a directory: Using the -a flag displays hidden files: Using the -l flag formats the output in a long list: The file command gives us mor…
Connecting to an Amazon Linux EC2 Instance from Windows Using PuTTY.

861 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

25 Experts available now in Live!

Get 1:1 Help Now