Install Bind as an authoritative DNS server

From wiki
Revision as of 12:11, 13 August 2016 by Vincent (talk | contribs) (Response Rate Limiting)


Install

# apt install bind9

Configure

Warning Warning: This page is a work in progress and is not completed. Important informations might be missing or wrong.

Hide version

Version might be useful to an attacker that is searching known vulnerabilities on your server. Let’s make its life more difficult by hiding it.

Note that it is not an excuse to run old vulnerable software. The goal is just to slow down attacker in case of newly published security exploit, so you have enough time to update before getting pwned.

To prevent the version being returned edit the file /etc/bind/named.conf.options and add the version line

options {
    
    version "";
    
}

Response Rate Limiting (RRL)

DNS servers can be abused to perform DoS attacks on other innocent victims. This are several issues for that

  • attacker will waste your bandwidth while attacking other servers
  • you are seen by the victim as the source of the attack. You can then appear in blacklists which will be an issue for you
  • you are making DoS attacks easier for the attackers and contribute to the problem

For more details, read the quick introduction to response rate limiting from ISC (Bind author).

Rate limiting allows to render such attacks ineffective while still answering legitimate responses. To enable this, add the block rate-limit in file /etc/bind/named.conf.options

options {

        rate-limit {
                responses-per-second 10;
                exempt-clients { 127.0.0.1; ::1; };
        };

}