DNS Security

[Vegito]

I know DNS use 53 UDP but they also say sometimes when the packet is too big, it'll switch to TCP 53... should I only have UDP port open or it doesn't matter...

Also, I'm building new DNS server, what software sould I use for the greatest security against hacker or spoofing ? Software & OS.. thanks..

 

[n0cmonkey]

Do not leave tcp 53 open. I believe ramen worm used that to crack plenty of redhat servers a while back. Its just a bad idea 😉

tcp 53 is also used for zone transfers, so leaving that open for your other dns servers would be ok.

I like OpenBSD and djbdns. OpenBSD has a good track record and I know the OS well enough. djbdns is written by Dan Bernstein (http://cr.yp.to), the author of qmail. It is very easy to setup, and it also has a good track record. djbdns will work on a number of UNIX compatible systems, but I believe he develops on OpenBSD.

If you want to use the daemon that set the standards, go with BIND. I recommend BIND 4.9.x, but 9.x is also looking promising. From what I have been told, and I could have heard wrong, BIND 8.x is just a clusterfsck of code and not worth trying to sort it out to audit the system.

 

[RagManX]

I believe the cutoff for switching to TCP is 504 bytes in the DNS response, but I can't recall for sure. As long as you aren't assigning too many addresses to a single name, and don't plan on allowing zone transfers, I don't think you'll have any problems with cutting off TCP over port 53. Best bet is to just try it and see what breaks. You probably need to allow TCP over port 53 responses, in case your DNS box queries another, gets too large a response, and has to fall back to a TCP query, but you'll likely not need to allow incoming TCP queries.

RagManX