13.6. Summary
DNS is a complex area, with a lot of potential for security breaches. It is also an essential service that organizations have to run, if they are going to communicate with the rest of the Internet.
While securing DNS can be complex, it really boils down to five basic principles:
Always run the latest version of BIND.
Each DNS server should run on a separate platform, in a different network.
Separate authoritative and caching functions.
Restrict access to caching name servers.
Limit the information provided by authoritative name servers.
Depending on how comfortable an organization is with DNS management, it may consider running an alternative to BIND. While BIND is undoubtedly the leader in terms of domains served and available support, ...
Get The Practice of Network Security: Deployment Strategies for Production Environments now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
