Chapter 5. Creating a Secure DNS Server

A good name is better than fine perfume.

Ecclesiastes 7:1, Holy Bible,New International Version

The Domain Name Service (DNS) is a critical service underpinning the entire Internet. Every nontrivial network has at least one DNS server. In the simplest case, a small organization may simply have a caching server that helps aggregate queries to the outside and answer queries about internal-only systems. Larger organizations operate many servers to handle higher demand for name resolution. DNS is at the heart of email communications, web communications, and SSL/TLS trust. We can't overstate its importance.

Yet, despite its central role in all Internet communications, DNS is surprisingly insecure. As a protocol, it was designed in the good old days of the Internet when servers trusted each other and malicious packets were few and far between. There are significant weaknesses in the protocol, and there have been significant problems with the programs that use the protocol.

In this chapter, we describe the security implications related to operating DNS servers. We outline some of the risks your organization faces related to DNS, and some of the ways to mitigate those risks. We focus on the two most common DNS servers for FreeBSD and OpenBSD: the Berkeley Internet Name Daemon (BIND) and Daniel J. Bernstein's DNS server (djbdns). We will compare and contrast the security postures of the two servers and how they approach the various risks related to DNS.

Having discussed the risks and mitigations, we will describe specific installation scenarios. We will describe how to get it isolated in a sandbox and how to lock down the machine tightly to avoid compromise of the DNS service. Lastly, we will cover routine maintenance procedures and how they can be accomplished securely.

We will also discuss a few of the pros and cons about choosing which server software to run, but ultimately, the decision is yours. Our goal is to help you get it installed and running securely.