DNS Server Hardening
|
|
Generic Server Hardening
|
|
| DNS Servers |
|
| DNS Specific Mailing Lists |
|
| DNS Related RFCs |
|
| DNS Server Hardening |
|
| UnUsed IP# in Your Class-C |
After you have assigned, IP# to your machines,
create a dummy machine occupying the rest of the unused ip#
SourceForge.net LaBrea
|
| Caching-Only DNS Server |
PacketStormSecrity.nl Caching only DNS Server
Zytrax.com
- vi /etc/named.conf
options {
directory "/var/named";
forwarders {
// your primary and secondary local DNS servers
192.168.1.1;
192.168.1.2;
};
};
- vi /etc/resolv.conf
# nameserver 1.2.3.4
nameserver 127.0.0.1
|
| Non-Routeable IPs |
Cymru.com
0.0.0.0/8
1.0.0.0/8
2.0.0.0/8
10.0.0.0/8
169.254.0.0/16
172.16.0.0/12
192.0.2.0/24
192.168.0.0/16
224.0.0.0/3
|
| IP Masks |
FAQS.org RFC 1860 - Variable Length Subnet Table For IPv4
CoreCom.com
TelusPlanet.net Network Calculator
SubnetOnline.com
Router.de
RalphB.net Subnetting
Subnetmask.info
UIC.edu ip subnetting
Class-C Setup ( 254 hosts )
192.168.1.0 Network
255.255.255.0 NetMask
192.168.1.255 BroadcastMask
NetMask Options
/16 255.255.0.0
/17 255.255.128.0
/18 255.255.192.0
/19 255.255.224.0
/20 255.255.240.0
/21 255.255.248.0
/22 255.255.252.0
/23 255.255.254.0
/24 255.255.255.0 == 256 hosts
/25 255.255.255.128 == 128 hosts
/26 255.255.255.192 == 64 hosts
/27 255.255.255.224 == 32 hosts
/28 255.255.255.240 == 16 hosts
/29 255.255.255.248 == 8 hosts
/30 255.255.255.252 == 4 hosts
/31 255.255.255.254 == 2 hosts
/32 255.255.255.255 == 1 host
10.10.192/19 means all possible combinations of a.b.c.d where
(a.b.c.d & 255.255.224.0) == 10.10.192.0
10.10.192/19 is 10.10.192.0 - 10.10.233.255
10.10.0/18 is 10.10.0.0 - 10.10.63.255
|
| DNS Examples |
|
| Example Primary DNS |
|
| Example Secondary DNS |
Linux-Sec.net/DNS/Example Example DNS files
- Old ( Bind-4 ) style named.boot method
- vi /etc/named/named.boot
secondary primary.com 1.2.3.4 ZX/primary.zx
- boot2conf.pl < named.boot > named.conf
- New ( Bind-8 ) named.conf method
- vi /etc/named/named.conf
zone "primary.com" {
type slave;
file "ZX/primary.zx";
masters {
};
};
- Restart the named daemon
- Local Copy of the Dailup RBL list
- Bind-4 format
secondary dialups.mail-abuse.org 204.152.184.74 dialups.mail-abuse.org.ZX
- Bind-8 format
zone "dialups.mail-abuse.org" {
type slave;
file "dialups.mail-abuse.org.ZX";
masters { 204.152.184.74; };
allow-transfer { none; };
allow-query { any; };
allow-update { none; };
};
|
| Round Robin DNS ( load balancing ) |
|
| GUIs for DNS management |
- if you cannot manually edit the zone files and know that all the data is correct, your gui tools will NOT solve your problems
DNSZone.org dns gui
Sauron.jyu.fi Sauron
|
| Free Secondary DNS |
|
| Domain Name Queries/Testing |
Changing the Version Banner
- nslookup
- nslookup
> server dns.Another-DNS-Server.net
> set q=A
> set q=ns
> set q=CNAME
> set q=MX
> set q=PTR
> www.target.com
- nslookup -querytype=mx foo.com
- nslookup Target.com
- nslookup 192.168.1.1
Should return MachineName.YoourDomain.com
nslookup -q=txt -class=chaos version.bind domain-name.com -- bind version
- Dig
dig @localhost version.bind chaos txt -- bind version
dig @192.168.1.85 www.target.com axfr
dig @a.root-servers.net -x w.x.y ns ( for w.x.y.z ip# )
dig axfr target.com @192.168.1.85
dig @your-dns-server foo.com
dig -t a www.svlug.org @64.62.190.98 +short
dig +trace www.svlug.org
- host
host foo.com
host -t ns foo.com
host -t mx foo.com
host -v -t any foo.com
|
| DNS Server Auditing/Testing |
|
| Who Owns a Particular Domain |
|
| Domain Name Registrars |
|
| NICs Around the World |
|
| Domain Name Resellers |
|