Planning security measures

 

Domain Name System (DNS) provides security options to limit outside access to your server.

Securing your DNS server is essential. In addition to the security considerations in this topic, DNS security and System i™ security are covered in a variety of sources including the System i platform and the Internet topic collection. The book DNS and BIND also covers security related to DNS.

 

Address match lists

DNS uses address match lists to allow or deny outside entities access to certain DNS functions. These lists can include specific IP addresses, a subnet (using an IP prefix), or using Transaction Signature (TSIG) keys. You can define a list of entities to which you want to allow or deny access in an address match list. If you want to be able to reuse an address match list, you can save the list as an access control list (ACL). Then whenever you need to provide the list, you can call the ACL and the entire list will be loaded.

 

Address match list element order

The first element in an address match list that a given address matches is used. For example, to allow all addresses on the 10.1.1.x network except 10.1.1.5, the match list elements must be in the order (!10.1.1.5; 10.1.1/24). In this case, the address 10.1.1.5 will be compared to the first element and will immediately be denied.

If the elements are reversed (10.1.1/24; !10.1.1.5), the IP address 10.1.1.5 will be allowed access because the server will compare it to the first element, which matches, and allow it without checking the rest of the rules.

 

Access control options

DNS allows you to set limitations such as who can send dynamic updates to the server, query data, and request zone transfers. You can use ACLs to restrict access to the server for the following options:

allow-update

In order for your DNS server to accept dynamic updates from any outside sources, enable the allow-update option.

allow-query

Specifies which hosts are allowed to query this server. If not specified, the default is to allow queries from all hosts.

allow-transfer

Specifies which hosts are allowed to receive zone transfers from the server. If not specified, the default is to allow transfers from all hosts.

allow-recursion

Specifies which hosts are allowed to make recursive queries through this server. If not specified, the default is to allow recursive queries from all hosts.

blackhole

Specifies a list of addresses that the server does not accept queries from or use to resolve a query. Queries from these addresses will not be responded to.

 

Parent topic:

Planning for Domain Name System

Related concepts
System i and Internet security

Related reference
BIND 8 features