Securing the DNS server

Edit online

You need to secure your DNS server. There are several items that need to be incorporated into your DNS security plan.

Following are security considerations when you choose to run DNS on your system:

  • The function that the DNS server provides is IP address translation and name translation. It does not provide any access to objects on your system. Your risk when an outsider accesses your DNS server is that the server provides an easy way to view the topology of your network. Your DNS might save a hacker some effort in determining the addresses of potential targets. However, your DNS does not provide information that will help to break into those target systems.
  • Typically, you use the DNS server for your intranet. Therefore, you probably do not have a need to restrict the ability to query the DNS. However, you might, for example, have several subnetworks within your intranet. You might not want users from a different subnetwork to be able to query the DNS on your system. A security option of DNS lets you limit access to a primary domain. Use IBM Navigator for i to specify the IP addresses to which the DNS server should respond.

    Another security option lets you specify which secondary servers can copy information from your primary DNS server. When you use this option, your server will accept zone transfer requests (a request to copy information) only from the secondary servers that you explicitly list.

  • Be sure to carefully restrict the ability to change the configuration file for your DNS server. Someone with malicious intent can, for example, change your DNS file to point to an IP address outside your network. They can simulate a server in your network and, possibly gain access to confidential information from users that visit the server.
  • Restrict the number of users who have authority to administer DNS. Administering DNS requires the following authority:
    • *IOSYSCFG special authority
    • *RW authority to the following files:
      /QIBM/UserData/OS400/DNS/<instance>/named.conf
  • In IBM® i 7.1, the BIND 9 has enhanced certain aspects of security. Refer to Internet System Consortium for more information.