- Make sure the Bind is running with non-root account:
ps aux | grep bind | grep -v '^root' - Change permissions and ownership on the destinations below:
chown -R root:bind /etc/bind chown root:bind /etc/bind/named.conf* chmod 640 /etc/bind/named.conf* - Edit using VI, the file /etc/bind/named.conf.options and add the following settings under the “Options” section:
- Add the line below to replace DNS version banner:
version "Secured DNS server";Note: In-order to test, run the command below:dig +short @localhost version.bind chaos txt - Add the line below to restrict recursive queries to trusted clients:
allow-recursion { localhost; 192.168.0.0/24; };Note 1: Replace 192.168.0.0/24 with the trusted internal segments and subnet mask. Note 2: In-order to test, run the command below:nslookup www.google.com - Add the line below to restrict query origins to trusted clients:
allow-query { localhost; 192.168.0.0/24; };Note: Replace 192.168.0.0/24 with the trusted internal segments and subnet mask. - Add the line below to Nameserver ID:
server-id none; - Add the line below to restrict which hosts can perform zone transfers:
allow-transfer { 192.168.1.1; };Note: Replace 192.168.1.1 with the trusted DNS server. - Add the line below to restrict the DNS server to listen to specific interfaces:
listen-on port 53 { 127.0.0.1; 192.168.1.1; };Note: Replace 192.168.1.1 with the IP address of the DNS server.
- Add the line below to replace DNS version banner:
- Restart the DNS daemon:
service bind9 restart
Hardening guide for BIND9 (Debian platform)
·216 words·2 mins