DNS hardening and often seen configuration errors 

The following DNS tips shows some often seen DNS configuration errors and some important security options, which are easy to implement.

Common Errors

SOA, MX and CNAME record points to a CNAME record

CNAME record usage is a bit controversial. Iit's safe to follow the rule that a MX, CNAME or SOA record should never refer to a CNAME record, they should only refer to something with an A record, look at the next example.

Correct is (marked in blue color), because ns.mydom.tld and www points to an A record.

@  IN SOA     ns.mydom.tld. hostmaster.mydom.tld. (
                        199802151       ; serial
                        8H              ; refresh
                        2H              ; retry
                        4W              ; expire
                        1D )            ; minimum

                NS      ns.friend.tld.
                MX      10 mail.mydom.tld.  ; 1. Mail Exchanger
                MX      20 mail.friend.tld. ; 2. Mail Exchanger

localhost       A

ns              A
                MX      10 mail
                MX      20 mail.friend.tld.
www             CNAME   ns   ; OK
CNAME   ns   ; OK

Wrong is the following, the SOA and CNAME records point to another CNAME.

@  IN SOA     dns.mydom.tld. hostmaster.mydom.tld. ( ; Wrong !

foobar          CNAME   www  ; Wrong !

Security improvements

Restricting zone transfers

In order for your slave server(s) to be able to answer queries about your domain, they must be able to transfer the zone information from your primary server. Very few others have a need to do so. Therefore restrict zone transfers using the allow-transfer option only to your slave name servers.

allow-transfer {     // Restrict zone transfer only to
   193.146.352.6;    // My Secondary Nameserver;  // My Third Nameserver

Hide DNS Version

It's a good idea to hide the version of your DNS server

version "DNS Server Akadia"; // Hide bind version

Protecting against spoofing

Firstly, disable any queries for domains you don't own, except from your internal/local machines. Allow queries only for your managed domains. This not only helps prevent malicious use of your DNS server, but also reduces unnecessary use of your server.

options {
    allow-query  {           // Disable any queries we don't own;   // Queries from DMZ are OK;     // Queries from HSZ are OK
       localhost;            // Local Queries are OK

zone "akadia.ch" {
      type master;
      file "akadia-ch.zone";
      allow-query { any; };    // Allow queries for this domain