Hardening the BIND DNS Server - Page 5

This paper presents the risks posed by an insecure DNS server and walks through compiling, installing, configuring and optionally, chroot'ing BIND 8. The test environment is Solaris 2.5, 2.6, 7 and 8. Many configuration and troubleshooting tips are provided, along with up-to-date references on BIND and alternatives for NT, Linux and Solaris.

 By Sean Boran
Page 5 of 5   |  Back to Page 1
Print Article

Note 4: More tips

  • Firewall filters: Resolvers and servers query other servers by initialising a connection from a high port (>1024) to port 53 on the target server.

    • DNS uses port 53, both udp (resolving) and tcp (server to server communications).

    • For server to server communications, the source server can be configured to use source port 53 (rather than a dynamic high port), with the option:

      query-source * port 53;

    • Typical firewall rules would be:
      allow udp 53 in from outside to dns server    [queries to your server]
      allow udp 53 in from dns server to outside    [queries from your server]
      allow tcp 53 in from secondaries or ISP server  to dns server [zone transfers from your server]
      allow tcp 53 out from dns server to outside [zone transfers from primaries, for which you are a secondary]
      Note: queries normally use udp, but apparently also use tcp under load, so restrict queries to udp may cause headaches in some situations.

  • If you want to enable dynamic updates, despite the additional risk, use TSIG for better authentication of hosts allowed to make updates. Always restrict updates via an ACL.

  • BIND can be configure to only allow resolver queries for explicit hosts or networks via the option:
    allow-query { 193.a.b.c/24; };
    An interesting way of using this is to restrict access globally (in 'options') to your own networks and then allow 'all' access in specific zones or subzones, that you wish to be published to the Internet.

  • Intranet DNS servers do not need to have Internet access. They can forward unresolved queries to the external Internet DNS server(s), with the forwarders command:
    forwarders { 193.a.b.c; 193.a.b.d; };
    Likewise, queries on intranet DNS servers can be restricted to valid intranet addresses via the "allow-query" command.
    allow-query { 193.a.b.c/24; };

  • Internet servers or 'delegate' servers should be configured to only allow "recursive queries" from valid DNS servers/clients in your company, but not the Internet. Recursive queries allow the DNS client to ask the DNS server for information on IP addresses for which it is not authoritive. The server will do it's best to get the needed infotmation and will cache it, but we don't want that, we only want to serve information to others that we know is 100% correct, i.e. that the server is authoritive for. Stopping or restricting recursion can improve performance and help prevent a form of attack known as DNS cache poisoning. The appropriate option is:

allow-recursion { 193.a.b.c/24; };

To stop recursion completely (e.g. on a deligate server), set the option:

recursion no;

In the same vein, bind can be prevented from automatically resolving name server names in NS or RDATA records by setting the option:

fetch-glue no;

  • Read the book DNS and BIND 5.


  1. BIND Home Page - https://www.isc.org/downloads/bind
  2. How to Break Out of a chroot() Jail - http://www.bpfh.net/simes/computing/chroot-break.html
    Creating a Basic Padded Cell - http://www.sunworld.com/swol-01-1999/swol-01-security.html
  3. Securing Your Name Servers - http://securityportal.com/closet/closet19991124.html
    An Introduction to BIND's security features
  4. IP-Plus provides a tool for remotely checking your DNS configuration - http://www.ip-plus.net/tools/dns_check_set-en.html
  5. DNS and BIND, 3rd Edition, Paul Albitz & Cricke Liu, published by O'Reilly & Associates.
    A great reference work.
  6. RFC2845: Secret Key Transaction Authentication for DNS (TSIG) - community.roxen.com/developers/idocs/rfc/rfc2845.html
  7. YASSP Solaris Hardening Tool - http://www.yassp.org
  8. An example of an "ls -alR" on a production chroot'ed DNS primary, to show what the file permissions should look like - http://www.boran.com/security/sp/solaris/bind_perms.txt


Chroot-BIND HOWTO for Linux - http://www.losurs.org/docs/howto/Chroot-BIND.html
A Linux equivalent of this article. Access to the Website can be sporadic and slow. It concentrates on the chroot aspects and assumes you know how to configure BIND.

Linux users may also be interested in Stackguard (a compiler for improved resistance to 'stack smashing' attacks) or Immunix OS (RH Linux rebuilt with Stackguard). Note that Stackguard v1.2 had security flaws - use v1.21 or later.

Chroot BIND 8 on Solaris - http://www.securityfocus.com/focus/sun/articles/bind-inst.html
Similar to this paper, but it didn't work for me.

Chroot BIND 4.9.x on Solaris - http://www.homeport.org/~adam/dns.html  

Using BIND: Don't Get Spoofed Again - http://www.sunworld.com/swol-11-1997/swol-11-bind.html

Linux: Dual chroot'ed BIND/DNS Servers - http://www.etherboy.com/dns/chrootdns.html

DNS Security, by Jeff Holland - http://www.sans.org/infosecFAQ/DNS_sec.htm
Concise but useful; good diagrams.

BIND FAQ - http://www.nominum.com/resources/bind-faq.html

BIND9 is under development - https://www.isc.org/downloads/bind.
It is a complete rewrite. An 'early release' 9.0.0 is available for the curious.

DNS related RFCs: http://www.dns.net/dnsrd/rfc/

DNS Resources Directory www.dns.net/dnsrd

Bind for NT links:

Dents, an alternative DNS server, still in alpha - http://www.dents.org

djbdns is a collection of Domain Name System tools, http://cr.yp.to/djbdns.html, that includes several components:

  • The DNScache program is a local DNS cache. It accepts recursive DNS queries from local clients such as Web browsers. It collects responses from remote DNS servers.
  • The tinydns program is a fast, UDP-only DNS server. It makes local DNS information available to the Internet.
  • The pickdns program is a load-balancing DNS server. It points clients to a dynamic selection of IP addresses.
  • The walldns program is a reverse DNS wall. It provides matching reverse and forward records while hiding local host information.
  • The rbldns program is an IP-address-listing DNS server. It uses DNS to publish a list of IP addresses, such as RBL or DUL.
  • The DNS library handles outgoing and incoming DNS packets. It can be used by clients such as Web browsers to look up host addresses, host names, MX records, etc. It supports asynchronous resolution.
  • The dnsfilter program is a parallel IP-address-to-host-name converter.
  • The dnsip, dnsipq, dnsname, dnstxt, and dnsmx programs are simple command-line interfaces to DNS.
  • The dnsq and dnstrace programs are DNS debugging tools.


Useful tips were also provided by FOCUS-SUN@SECURITYFOCUS.COM members, including C.M. Wong, Eric Jon Rostetter, J. S. Townsley, Wyman Eric Miles, and Colin Stefani. Fabrice Bacchella pointed out how to use BIND's inbuilt chroot function. See also the archive of focus-sun messages. Thanks also to Stephane Grundschober and Kurt Seifried.

About the Author

Sean Boran is an IT security consultant based in Switzerland and the author of the online IT Security Cookbook. He has over 4 years experience managing DNS servers.

SecurityPortal is the world's foremost on-line resource and services provider for companies and individuals concerned about protecting their information systems and networks.
The Focal Point for Security on the Net (tm)

This article was originally published on Dec 5, 2000
Get the Latest Scoop with Networking Update Newsletter