Nevertheless a simple but important measures are frequently disregarded.
The problem is that these oversights or omissions leads to security issues.
As a consequence, everything that relies on DNS is affected as well.
As such, it's not difficult to see that impacts can be disastrous.
As a good practice:
Start right from the very beginning.
As the British say: Don't make a rod for your own back.
So here's a few important measures to running a DNS server:
- Keep the software as up-to-date as possible;
- Consider a robust networking scheme, such as IPMP or DLMP;
- Run the daemon on an immutable non-global zone (NGZ);
- Run the daemon under a non-root user account;
- Countermeasure MAC-spoof and IP-spoof;
- Consider IPsec where feasible.
Assume a NGZ, not yet (of course) immutable.
Suppose the following interface configuration is present:
dns-1# dladm show-link
LINK CLASS MTU STATE OVER
net7 phys 1500 up --
dns-1# dladm show-phys
LINK MEDIA STATE SPEED DUPLEX DEVICE
net7 Ethernet up 1000 full e1000g11
dns-1# dladm show-phys -m
LINK SLOT ADDRESS INUSE CLIENT
net7 primary 8:0:27:ad:65:e yes net7
dns-1# dladm show-linkprop -p allowed-ips,protection
LINK PROPERTY PERM VALUE DEFAULT POSSIBLE
net7 allowed-ips rw 192.168.0.17 -- --
net7 protection rw ip-nospoof -- mac-nospoof,
restricted,
ip-nospoof,
dhcp-nospoof
NOTE
For the examples I'm using VirtualBox 4.3.6 on a Solaris 11 host.
On the host, there are several vnics over a single etherstub.
Such vnics are being provided to VirtualBox guests.
Guests' non-global zones can't use the anet resource.
The only choice in this particulare case is the net resource.
In this scenario it seems impossible to set the mac-nospoof.
On a real world scenario anet resources would fill the gap.
Check for a reasonably up-to-date software.
If available, update the IPS repository to the latest SRU.
# pkg info -r service/network/dns/bind | egrep '(State|Ver)'
State: Not installed
Version: 9.6.3.8.0 (9.6-ESV-R8)
Check the respective ISC-BIND resources on the Internet:
For instance, for BIND 9.6-ESV-R8 there exists vulnerability #56.
| 56 | 2013-6320 | A Winsock API Bug can cause a side-effect affecting BIND ACLs |
After assessing all the information, the conclusion is that it's safe to proceed as the environment is comprised only of Unix hosts which aren't affected.
# pkg install -nv service/network/dns/bind
Packages to install: 1
Estimated space available: 13.98 GB
Estimated space to be consumed: 19.20 MB
Create boot environment: No
Create backup boot environment: No
Services to change: 1
Rebuild boot archive: No
Changed packages:
solaris
service/network/dns/bind
None -> 9.6.3.8.0,...
Services:
restart_fmri:
svc:/system/manifest-import:default
# svcs '*dns*'
STATE STIME FMRI
disabled 14:01:15 svc:/network/dns/client:default
disabled 14:01:18 svc:/network/dns/multicast:default
# pkg install service/network/dns/bind
Packages to install: 1
Create boot environment: No
Create backup boot environment: No
Services to change: 1
DOWNLOAD PKGS FILES XFER (MB) SPEED
Completed 1/1 14/14 0.4/0.4 778k/s
PHASE ITEMS
Installing new actions 44/44
Updating package state database Done
Updating image state Done
Creating fast lookup database Done
# pkg info service/network/dns/bind | egrep '(State|Ver)'
State: Installed
Version: 9.6.3.8.0 (9.6-ESV-R8)
# svcs '*dns*'
STATE STIME FMRI
disabled 14:01:15 svc:/network/dns/client:default
disabled 14:01:18 svc:/network/dns/multicast:default
disabled 15:04:12 svc:/network/dns/server:default
The next step is to perform the DNS server configuration.
