Security Portal: DNS Security - closing the b(l)indsSep 29, 1999, 14:08 (1 Talkback[s])
(Other stories by Kurt Seifried)
"DNS is one of the basic services that makes the Internet work, without it there would be no "sun.com" or "microsoft.com" or "securityportal.com". At one point the entire list of computers on the Internet fit easily into a single file (usually /etc/hosts) which was (and still is) a simple table of names and IP addresses..."
"DNS provides a "phonebook" of hosts on your network, and like any company phone directory, it is an invaluable resource for someone planning an attack. Additionally, many companies now rely on services (such as email, or web based commerce) that rely on DNS servers to provide information to customers so that they can find the servers. However many DNS servers, and the information they provide, are woefully unprotected. Bind 8.x provides several facilities to control access to your DNS servers."
"The first step is to define ACL's (access control lists) in your named.conf file, and then to use the "allow-query" and "allow-transfer" directives to grant or revoke access to information that the DNS server provides. DNS servers typically provides two kinds of information, the most obvious being domains that they host, such as example.com. This service is usually critical, as without it internal machines can't find each other, and customers won't be able to find your web site, or email server. These domains usually contain a complete list of every piece of network attached equipment in your infrastructure (such as firewall-nt.example.com) that can give an attacker help when planning an assault on your network..."