1 |
On 06/16/2014 02:15 PM, James wrote: |
2 |
> Hello, |
3 |
> |
4 |
> I'm reading up on how to secure DNS primary and secondary servers. |
5 |
> I guess DNSSEC is pretty important. Any other areas I should read |
6 |
> up on? It's been a few years since I admin'd a dns server.... |
7 |
|
8 |
The benefits of DNSSEC are debatable. We're moving the centralized trust |
9 |
from one group of scumbags (the CAs) to another group of scumbags (the |
10 |
registrars). So the benefits to authentication are not entirely clear-cut. |
11 |
|
12 |
But, DNSSEC will eventually allow us to do away with the SSL racket, and |
13 |
that can only improve security through the widespread adoption of |
14 |
encryption. So it's a good thing either way. |
15 |
|
16 |
There's a video of DJB at the 27c3 conference floating around where he |
17 |
discusses some of this stuff. Some of his points shouldn't be taken |
18 |
seriously, but it's entertaining nevertheless. |
19 |
|
20 |
|
21 |
> |
22 |
> Also, look for gentoo centric DNS primary solutions, I see |
23 |
> no mention of hardened, up-mounted or read only partitions, |
24 |
> etc etc. I wondering if anyone has some general suggestions |
25 |
> on how to keep a gentoo dns primary only machine secure. |
26 |
> |
27 |
|
28 |
Sven Vermeulen maintains some general suggestions here: |
29 |
|
30 |
http://dev.gentoo.org/~swift/docs/security_benchmarks/ |
31 |
|
32 |
|
33 |
> The iptables suggests seem trite and old. |
34 |
|
35 |
Which suggestion? For a DNS server, you probably want something like, |
36 |
|
37 |
iptables -P INPUT DROP |
38 |
iptables -A INPUT -p ALL -i lo -j ACCEPT |
39 |
iptables -A INPUT -p ALL -m conntrack --ctstate ESTABLISHED,RELATED \ |
40 |
-j ACCEPT |
41 |
iptables -A INPUT -p ALL -m conntrack --ctstate INVALID -j DROP |
42 |
|
43 |
# Allow SSH, up to you |
44 |
iptables -A INPUT -p tcp --dport 22 -j ACCEPT |
45 |
|
46 |
# And allow DNS traffic |
47 |
iptables -A INPUT -p udp --dport 53 -j ACCEPT |
48 |
iptables -A INPUT -p tcp --dport 53 -j ACCEPT |