On Wed, 7 Mar 2001, Simon Waters wrote:
> Laura Nuņez wrote:
> > I am trying to find any tool to pen test a DNS server, or
> > documentation about best practices to set it up.
>
> I'm about to review DNS Expert from Mice and Men - no idea yet but it
> gets good reviews - some security stuff is hard to automate as it
> implies you need to have both valid and invalid IP - nslookup can do
> zone transfers so no need to install extra software everywhere.
>
DNS Expert is excellent for troubleshooting DNS configuration issues, but
it only touches on security very briefly (spoofing vulnerability and SMTP
mail relay - though that's not really a DNS function IMHO).
I saw a decent overview of DNS security here:
http://www.acmebw.com/papers/securing.pdf
-stay current
-restrict zone transfers
-authenticate axfr with tsig (wh00ps!:)
-restrict dynamic updates
-protect against spoofing
-turn off recursion
-turn off flue fetching
-restrict queries
-restrict recursive queries
-split service name servers
Max
Received on Mar 08 2001
Intro
