Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

CSA DNS policy

I noticed CSA does not have a Linux DNS policy. I want to protect my BIND even better. Any suggestions...


Re: CSA DNS policy

Basic security..

- when installing OS, install only the necessary services

- do not install gnome or other gui

- install iptables and only allows tcp/udp 53

- for administration, use only ssh and only permit specific source ip addresses

- bind can be configure with acl and only allows recursive query for specific network

- do not allow remote access to root account even in ssh. user need to "su -" to root after successful login

Restrict the soa/master for access.

- You can hide it behind a fw and using private ip with no outside network access to it.

- Only allow internet access to slaves

- When registering NS to Domain Authority and NIC (for reverse zone), only register slaves.

- The only connection to/from soa/master is the zone transfer from soa/master to slaves

Remember to configure all NS to download the zone from the root monthly. This can be done by creating a script and run in cron

You can scan it using nessus every 2 months to check for vulnerability.