[sdnog] DNS problem

Daniel Shaw dshaw78 at gmail.com
Tue Jan 6 21:25:50 SAST 2015

Hello SdNoggers and Manhal,

>> I have some questions in the DNS
>> first one : 
>> Our DNS design is stealth “split-horizon” ,

Before I get onto your questions, I'd like to comment on the above with some words of caution.

I know there are certain situation where "split-horizon" DNS is necessary. Hence the existence of the feature in Bind and some others.

However, in my experience such situations are rare. I'd strongly urge you to review the need for "split-horizon". If you can get rid of that design it would make your DNS set up much simpler in terms of admin and troubleshooting. I find "split-horizon" very seldom gets you any real advantages.

If you are forced to keep split-horizon, and are considering adding DNSSEC in future (I hope you are), then you should also read this: https://tools.ietf.org/html/draft-krishnaswamy-dnsop-dnssec-split-view-04

>> second : 
>> how to apply or implement some sort of security for the DNS ? like chroot , now i am not using chroot , can i use it after installing the bind and working with it ? is that will affect the DNS server , is there any risks ??? 
> in general, chroot'ing your DNS daemon is a good thing.  someone who knows this better than i do, has promised to respond to this  :-)

Indeed. There is no inherent risk in running bind or any other DNS software chroot-ed. Yes you can configure it after bind is already running.
Things to consider:

- While chroot config itself once running is not a problem, *any* change to an existing system has risks. If you have only one production NS server, do not make *any* change to it without testing first.
If you don't have any testing or staging infrastructure you can do this test in a VM on your own workstation of laptop. VirtualBox is free to download and can run on almost any desktop OS. A DNS server VM needs very very little hardware resources for testing only with no real query traffic.

- Adding chroot to *any* service (not only DNS) has some specific considerations - do some additional reading up about chroot generally.
But most software that is commonly set up in chroot, has packages that put everything in the right places. It only gets tricky is your copy of Bind is self-compiled or has a very non-standard config layout.

- Finally, while chroot is not difficult and definitely has security benefits, it's not enough on it's own. You need to understand what it protects from what:
Having your DNS service run chroot, protects the rest of your system in the event the DNS process is ever remotely exploitable in some way. That is, if there is a vulnerability in Bind, an attacker could not affect any other service, or steal unrelated data.
However, it does not protect the DNS service itself, only separates it from the rest of the OS. You must therefore still maintain and patch Bind itself to keep your DNS service itself safe.
It also does not protect against any other service being vulnerable. For example, if someone should guess your ssh password, chroot Bind doesn't help at all.
In summary: To "implement some sort of security for the DNS" would need a variety of things working together, of which chroot bind is just one.

Best regards,

More information about the sdnog mailing list