Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-user

From: Michael Orlitzky <mjo@g.o>
To: gentoo-user@l.g.o
Subject: Re: [gentoo-user] Secure DNS servers
Date: Mon, 16 Jun 2014 18:50:07
Message-Id: 539F3C43.8070503@gentoo.org
In Reply to: [gentoo-user] Secure DNS servers by James
1 On 06/16/2014 02:15 PM, James wrote:
2 > Hello,
3 >
4 > I'm reading up on how to secure DNS primary and secondary servers.
5 > I guess DNSSEC is pretty important. Any other areas I should read
6 > up on? It's been a few years since I admin'd a dns server....
7
8 The benefits of DNSSEC are debatable. We're moving the centralized trust
9 from one group of scumbags (the CAs) to another group of scumbags (the
10 registrars). So the benefits to authentication are not entirely clear-cut.
11
12 But, DNSSEC will eventually allow us to do away with the SSL racket, and
13 that can only improve security through the widespread adoption of
14 encryption. So it's a good thing either way.
15
16 There's a video of DJB at the 27c3 conference floating around where he
17 discusses some of this stuff. Some of his points shouldn't be taken
18 seriously, but it's entertaining nevertheless.
19
20
21 >
22 > Also, look for gentoo centric DNS primary solutions, I see
23 > no mention of hardened, up-mounted or read only partitions,
24 > etc etc. I wondering if anyone has some general suggestions
25 > on how to keep a gentoo dns primary only machine secure.
26 >
27
28 Sven Vermeulen maintains some general suggestions here:
29
30 http://dev.gentoo.org/~swift/docs/security_benchmarks/
31
32
33 > The iptables suggests seem trite and old.
34
35 Which suggestion? For a DNS server, you probably want something like,
36
37 iptables -P INPUT DROP
38 iptables -A INPUT -p ALL -i lo -j ACCEPT
39 iptables -A INPUT -p ALL -m conntrack --ctstate ESTABLISHED,RELATED \
40 -j ACCEPT
41 iptables -A INPUT -p ALL -m conntrack --ctstate INVALID -j DROP
42
43 # Allow SSH, up to you
44 iptables -A INPUT -p tcp --dport 22 -j ACCEPT
45
46 # And allow DNS traffic
47 iptables -A INPUT -p udp --dport 53 -j ACCEPT
48 iptables -A INPUT -p tcp --dport 53 -j ACCEPT

Replies

Subject Author
[gentoo-user] Re: Secure DNS servers James <wireless@×××××××××××.com>
Re: [gentoo-user] Secure DNS servers Rich Freeman <rich0@g.o>
Report Message
Find on MARC Find on Google Groups