Securing the BIND DNS server

Securing the BIND DNS server sean Fri, 10/17/2008 - 17:22

Two articles have been written, the focus of updates is on the v9 paper:

  1. Hardening BIND v8: bind_hardening8.html
  2. Running BIND v9 DNS Server securely: bind9_20010430.html

The Bind V9 paper walks through compiling, installing and configuring a chroot'ed BIND v9 on Solaris 2.6 and 8. It also presents examples of advanced topics such as TSIGs and dynamic updates. It is specific to version 9 but aims to help existing BIND 8 administrators realize what is involved in migrating to v9.

Although originally written in 2001, information may still be relevant to you, I no longer have productive Solaris servers - everything on Liinux these days.

Update 2012:

  • If installing Bind from scratch now, I'd suggest using firewalled Debian or Ubuntu LTS as the base OS with the standard packages and regular updates.
  • I've used several products in the years since the artciles above were written: Products ┬álike PowerDNS with its DB backends for more complex sites and dnsmasq for smallish organisations.
  • More recent reading: Wikipedia, The measurement factory, the O'Reilly book has been updated for IPv6 too.