Hardening guide for BIND9 (Debian platform)

  1. Make sure the Bind is running with non-root account:
    ps aux | grep bind | grep -v '^root'
  2. Change permissions and ownership on the destinations below:
    chown -R root:bind /etc/bind
    chown root:bind /etc/bind/named.conf*
    chmod 640 /etc/bind/named.conf*
  3. Edit using VI, the file /etc/bind/named.conf.options and add the following settings under the “Options” section:
    • Add the line below to replace DNS version banner:
      version "Secured DNS server";
      Note: In-order to test, run the command below:
      dig +short @localhost version.bind chaos txt
    • Add the line below to restrict recursive queries to trusted clients:
      allow-recursion { localhost; 192.168.0.0/24; };
      Note 1: Replace 192.168.0.0/24 with the trusted internal segments and subnet mask.
      Note 2: In-order to test, run the command below:
      nslookup www.google.com
    • Add the line below to restrict query origins to trusted clients:
      allow-query { localhost; 192.168.0.0/24; };
      Note: Replace 192.168.0.0/24 with the trusted internal segments and subnet mask.
    • Add the line below to Nameserver ID:
      server-id none;
    • Add the line below to restrict which hosts can perform zone transfers:
      allow-transfer { 192.168.1.1; };
      Note: Replace 192.168.1.1 with the trusted DNS server.
    • Add the line below to restrict the DNS server to listen to specific interfaces:
      listen-on port 53 { 127.0.0.1; 192.168.1.1; };
      Note: Replace 192.168.1.1 with the IP address of the DNS server.
  4. Restart the DNS daemon:
    service bind9 restart

One Response to “Hardening guide for BIND9 (Debian platform)”

Leave a Reply

Search This Blog
Labels
NetworkedBlogs