Protecting The DNS server against DDOS

[~Phil~]

Protecting The DNS server against DDOS

If you are managing a dns server with bind, your server might encounter such attacks. You will need to harden your DNS server (bind) using the below steps.

Check the /etc/hosts.conf and place this line, so that it prevents hostname spoofing.

Quote:

nospoof on

Now in /etc/named.conf

Quote:

Disable recursion

Options {
...
recursion no;
...}

Disable upward referrals (refuse referring to root servers) In the file Prevent spoofing add

Quote:

additional-from-cache no;

Prevent spoofing

In order to prevent spoofing, consider to use-id-pool to generate random message id to make guessing harder.

Quote:

use-id-pool yes; (only for Bind 8.x)

Disable Glue fetching

Quote:

fetch-glue no;

Besides these, be sure to disable notifications and zone transfers in your dns server.

Restrict zone transfers and notifications

Quote:

acl “trusted” {
XX.xx.xx.xx;
YY.YY.YY.YY;
};
allow-notify { trusted; };
allow-transfer { trusted; };

[Rachael]

In order to secure the DNS servers from the DDOS, the following measures can also be adopted; they will surely prove to be very effective.

1. Ensure that the DNS servers are clustered
2. Ensure that the DNS server is placed behind a firewall
3. It is advisable to use the firewall to perform the DNS queries; this reduces the organizational DNS risk
4. The DNS servers should not be chained as this strategy has seen the downfalls
5. Scan the DNS machine and make sure that no other ports are listening apart from the typical DNS ports
6. Remove all the other services from the DNS servers as there can be vulnerabilities within a badly created software