7.15.1 Problem
You want to protect a name server from spoofing attacks.
7.15.2 Solution
On a BIND 8.2 or later name server, set the use-id-pool options substatement to yes. This tells the name server to use better, optional randomization routines to choose message IDs for the header of DNS queries. This makes the message IDs harder to guess, and, therefore, it is more difficult to spoof a response to those queries. (On a BIND 9 name server, you don't need use-id-pool since the better randomization routines are now standard.)
Also, use the allow-recursion options substatement, as described in Section 7.12, to restrict which networks the name server will accept recursive queries from. If it doesn't accept recursive queries from arbitrary addresses on the Internet, hackers will find it harder to induce the name server to query name servers under their control and thereby poison its cache.
Finally, you might use the technique introduced in Section 7.7, configuring the name server as authoritative for important internal zones. The name server will ignore records from your internal zones in answers from remote name servers, making it hard for a hacker to spoof data in those zones.
7.15.3 Discussion
If the name server doesn't serve any recursive queriers, of course, configure it as authoritative-only name server, as described in Section 7.6.
7.15.4 See Also
Section 7.7 for loading internal zones and Section 7.12 for use of the allow-recursion substatement, or Section 7.6 for configuring an authoritative-only name server.
Getting Started
Zone Data
BIND Name Server Configuration
Electronic Mail
BIND Name Server Operations
Delegation and Registration
Security
Interoperability and Upgrading
Resolvers and Programming
Logging and Troubleshooting
IPv6