13.6 Summary

DNS is a complex area, with a lot of potential for security breaches. It is also an essential service that organizations have to run, if they are going to communicate with the rest of the Internet.

While securing DNS can be complex, it really boils down to five basic principles:

1. Always run the latest version of BIND.

2. Each DNS server should run on a separate platform, in a different network.

3. Separate authoritative and caching functions.

4. Restrict access to caching name servers.

5. Limit the information provided by authoritative name servers.

Depending on how comfortable an organization is with DNS management, it may consider running an alternative to BIND. While BIND is undoubtedly the leader in terms of domains served and available support, many other DNS daemons exist.

These daemons are often smaller and boast much better security than BIND. Programs such as djbdns have gained a lot of fame because of their inherent security. Be careful though; because the following for these programs is small and the development team is also small, they tend to come and go. Dents and MaraDNS are two other alternatives to BIND that have faded away in recent years . Building a large DNS infrastructure around these programs may not be advisable.