BIND security is critical for protecting your DNS infrastructure. This guide covers security measures for both authoritative and recursive deployments.
The most important security measure is separating authoritative and recursive functions:
options {
recursion no;
additional-from-auth no;
additional-from-cache no;
};
Enable DNS Cookie to protect against DNS amplification attacks:
options {
// Enable DNS Cookie (enabled by default in BIND 9.16+)
dns-cookie yes;
// Cookie secret (auto-generated if not specified)
// cookie-secret "your-secret-key-here";
};
Configure RPZ for threat intelligence and blocking:
// Define RPZ zone
zone "rpz" {
type master;
file "/etc/bind/rpz.db";
allow-query { none; };
};
options {
// Enable RPZ
response-policy { zone "rpz"; };
// RPZ logging
rpz-log-only yes;
};
/etc/bind/rpz.db)$TTL 1H
@ SOA localhost. root.localhost. (
2026022701 ; Serial
2H ; Refresh
5M ; Retry
4W ; Expire
1H ) ; Negative TTL
@ NS localhost.
; Malware domains
malware-site.com CNAME .
bad-domain.net CNAME .
; Ad servers
ads.example.com CNAME .
; IP-based blocking
192.0.2.1 CNAME .
; NXDOMAIN responses
phishing-site.com CNAME *.
BIND supports DoT for recursive queries to upstream servers:
options {
// TLS configuration for upstream queries
tls {
ca-file "/etc/ssl/certs/ca-certificates.crt";
// Optional: Client certificate for mutual TLS
// cert-file "/etc/bind/tls/client.crt";
// key-file "/etc/bind/tls/client.key";
};
// Use TLS for specific forwarders
forwarders tls 8.8.8.8 tls 8.8.4.4;
};
BIND can act as a DoH forwarder (requires external DoH proxy like dnsdist):
// Configure in combination with dnsdist as DoH frontend
// BIND listens on localhost, dnsdist handles DoH termination
Enable QNAME minimization to improve privacy:
options {
// Send minimum part of query name to upstream servers
qname-minimization yes;
// Strict mode (may cause compatibility issues)
// qname-minimization strict;
};
Implement granular access controls:
acl "trusted" {
localhost;
192.168.0.0/16;
10.0.0.0/8;
};
acl "recursion-clients" {
192.168.1.0/24;
10.0.1.0/24;
};
acl "transfer-servers" {
192.168.1.10;
192.168.1.11;
};
options {
allow-query { trusted; };
allow-recursion { recursion-clients; };
allow-transfer { transfer-servers; };
allow-query-cache { trusted; };
};
options {
dnssec-enable yes;
dnssec-validation auto; // Automatically fetches trust anchors
};
Secure zone transfers and dynamic updates with TSIG keys:
dnssec-keygen -a HMAC-SHA256 -b 256 -n HOST transfer-key
key "transfer-key" {
algorithm hmac-sha256;
secret "your-generated-secret-here";
};
server 192.168.1.10 {
keys { transfer-key; };
};
zone "example.com" {
type slave;
file "slaves/db.example.com";
masters { 192.168.1.10 key transfer-key; };
allow-transfer { key transfer-key; };
};
bind or named)options {
// Hide version information
version "not currently available";
// Prevent cache snooping
max-cache-ttl 86400;
max-ncache-ttl 10800;
// Limit query resources
tcp-clients 100;
max-udp-size 4096;
};
Protect against DNS amplification attacks on authoritative servers:
options {
rate-limit {
responses-per-second 5;
window 10;
slip 2;
log-only no;
};
};
Enable logging for security monitoring:
logging {
channel security_log {
file "/var/log/named/security.log" versions 10 size 5m;
severity info;
print-time yes;
print-category yes;
};
category security { security_log; };
category network { security_log; };
category unmatched { security_log; };
};
# Allow DNS queries from trusted networks
iptables -A INPUT -p udp -s 192.168.0.0/16 --dport 53 -j ACCEPT
iptables -A INPUT -p tcp -s 192.168.0.0/16 --dport 53 -j ACCEPT
# Allow zone transfers only from specific servers
iptables -A INPUT -p tcp -s 192.168.1.10 --dport 53 -j ACCEPT
iptables -A INPUT -p tcp -s 192.168.1.11 --dport 53 -j ACCEPT
# Restrict RNDC access
iptables -A INPUT -p tcp -s 127.0.0.1 --dport 953 -j ACCEPT
options {
empty-zones-enable no; // Only if serving private zones
auth-nxdomain no;
};
options {
qname-minimization yes;
};
# Debian/Ubuntu
chown -R bind:bind /etc/bind/
chmod -R 644 /etc/bind/
# RHEL
chown -R named:named /var/named/
chmod -R 644 /var/named/
Monitor for common attack patterns:
Have procedures ready for: