Tuesday, June 9, 2009

Simple DNS Security


DNS can reveal a lot about the nature of your domain. You should take some precautions to conceal some of the information for the sake of security.

Zone Transfer Protection

The host command does one DNS query at a time, but the dig command is much more powerful. When given the right parameters it can download the entire contents of your domain's zone file.

In this example, the AFXR zone transfer parameter is used to get the contents of the my-site.com zone file.

[root@smallfry tmp]# dig my-site.com AXFR
; <<>> DiG 9.2.3 <<>> my-site.com AXFR
;; global options: printcmd
my-site.com. 3600 IN SOA www.my-site.com. hostmaster.my-site.com. 2004110701 3600 3600 3600 3600
my-site.com. 3600 IN NS ns1.my-site.com.
my-site.com. 3600 IN MX 10 mail.my-site.com.
192-168-1-96.my-site.com. 3600 IN A 192.168.1.96
192-168-1-97.my-site.com. 3600 IN A 192.168.1.97
192-168-1-98.my-site.com. 3600 IN A 192.168.1.98
bigboy.my-site.com. 3600 IN A 192.168.1.100
gateway.my-site.com. 3600 IN A 192.168.1.1
localhost.my-site.com. 3600 IN A 127.0.0.1
mail.my-site.com. 3600 IN CNAME www.my-site.com.
ns1.my-site.com. 3600 IN CNAME www.my-site.com.
ntp.my-site.com. 3600 IN CNAME www.my-site.com.
smallfry.my-site.com. 3600 IN A 192.168.1.102
www.my-site.com. 3600 IN A 192.168.1.100
my-site.com. 3600 IN SOA www.my-site.com. hostmaster.my-site.com. 2004110701 3600 3600 3600 3600
;; Query time: 16 msec
;; SERVER: 192.168.1.100#53(192.168.1.100)
;; WHEN: Sun Nov 14 20:21:07 2004
;; XFR size: 16 records
[root@smallfry tmp]#

This may not seem like an important security threat at first glance, but it is. Anyone can use this command to determine all your server's IP addresses and from the names determine what type of server it is and then launch an appropriate cyber attack.

In a simple home network, without master and slave servers, zone transfers should be disabled. You can do this by applying the allow-transfer directive to the global options section of your named.conf file.

options {
allow-transfer {none;};
};

Once applied, your zone transfer test should fail.

[root@smallfry tmp]# dig my-site.com AXFR
...
...
; <<>> DiG 9.2.3 <<>> my-site.com AXFR
;; global options: printcmd
; Transfer failed.
[root@smallfry tmp]#


No comments:

Post a Comment