Basic DNS Security

Post ported from old site.
 
Basic DNS(BIND9) Security -- and I do mean basic -- comes in the form of two simple options placed in your named.conf options {...} section.  The first is to turn off recursion and the second is to hide the bind version.
 
Why do we want to do these things?
 
Well allowing your DNS server to provide un-authoritive results for other servers(recursive queries) means that your DNS can be highjacked and used to perform Denial of Service attacks against the authoritive host.  Recursive queries can also be used to perform DNS Cache Poisoning on your server!
 
Obscuring the BIND version number, is a bit of smoke and mirrors, security through obscurity.  Not really a security measure itself, but it will make the job of the wouldbe hacker more difficult as they won't be able to run and version specific attacks without doing some leg work.  This effectively puts an end to the average script kiddie, and most professionals will go elsewhere for an easier target.
 
How do you do these things?
 
As mentioned before, in the options { ... } section of your named.conf ( or other file depending on how you are set up, perhaps named.conf.options ) it is as simple as:
 
recursion no;
 
and
 
version "Version not available.";
 
You can put whatever you want between the quotes on the version.  You may want to put something missleading such as " response timed out..." or mildly humorous like "DNS brought to you by BIND, sponsored by ... request timed out..."
 
I told you I really meant BASIC! and always remember to practice safe blogging!