Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
327
Views
5
Helpful
1
Replies

CSA DNS policy

TradeSecrets
Level 1
Level 1

‎07-01-2008 12:05 PM - edited ‎03-09-2019 08:59 PM

I noticed CSA does not have a Linux DNS policy. I want to protect my BIND even better. Any suggestions...

Labels:
0 Helpful
1 Reply 1

Danilo Dy
VIP Alumni
VIP Alumni

‎07-07-2008 03:36 AM

Basic security..

- when installing OS, install only the necessary services

- do not install gnome or other gui

- install iptables and only allows tcp/udp 53

- for administration, use only ssh and only permit specific source ip addresses

- bind can be configure with acl and only allows recursive query for specific network

- do not allow remote access to root account even in ssh. user need to "su -" to root after successful login

Restrict the soa/master for access.

- You can hide it behind a fw and using private ip with no outside network access to it.

- Only allow internet access to slaves

- When registering NS to Domain Authority and NIC (for reverse zone), only register slaves.

- The only connection to/from soa/master is the zone transfer from soa/master to slaves

Remember to configure all NS to download the zone from the root monthly. This can be done by creating a script and run in cron

You can scan it using nessus every 2 months to check for vulnerability.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents