DNS HOWTO : Basic security options. : Protecting against spoofing
Previous: Restricting zone transfers
Next: Running named as non-root

6.2. Protecting against spoofing

Firstly, disable any queries for domains you don't own, except from your internal/local machines. This not only helps prevent malicious use of your DNS server, but also reduces unnecessary use of your server.


options {
      allow-query { 192.168.196.0/24; localhost; };
};

zone "freebsd.bogus" {
      allow-query { any; };
};

zone "196.168.192.in-addr.arpa" {
      allow-query { any; };
};

Further, disable recursive queries except from internal/local sources. This reduces the risk of cache poisoning attacks (where false data is fed to your server).


options {
	allow-recursion { 192.168.196.0/24; localhost; };
};


DNS HOWTO : Basic security options. : Protecting against spoofing
Previous: Restricting zone transfers
Next: Running named as non-root