MonthDecember 2012

Restricting DNS lookups for some servers and domains

DNS. The Domain Name System is a wonderful thing. Most of the brains out there are just not made for numbers. Now, with IPv6 the whole stuff gets even more important. But there is a dark side, as always. The dark side of DNS is DNS-tunneling. With this technique one is able to bypass a firewall completely, ignore proxy servers and give a shit on all your fancy and expensive network security devices.

There are definitely some servers or computers that don’t need to be able to lookup every existing domain name in the world. Think about your DMZ for example. Restricting the domains your servers can lookup makes it almost or – depending on your final config – absolutely impossible to build up a DNS tunnel. So I made an example config on how to lock down a BIND server to only allow certain domains to be looked up for some computers, but still let the others lookup all the domains. Of course, this is a minimalistic config you should for sure tune it up a bit to fit your needs, but it may give you an idea on how to configure BIND for your most secured servers.

enjoy.

// The clients in  can only lookup domains known by
//  and exception.org.
// this may be useful to prevent DMZ Servers from opening DNS tunnels etc.
// Of course,  must not allow forwarding...
//
// Instead of forwarding, you can also define your zones directly
// in the view.
view "limiteddnslookup" {
  match-clients { ; };
  allow-recursion { ; };
  recursion yes;
  // optional: internal forward servers
  forward only;
  forwarders { ; };
  // optional: exception domain(s)
  zone "exception.org" {
    type forward;
    forwarders { ; };
  };
};
// This is for all the other clients in your network. They can lookup any
// address they like and is known by .
view "allothers" {
  recursion yes;
  match-clients { any; };
  include "/etc/bind/named.conf.default-zones";
  forwarders { ; };
};

Backup a list of all manually installed Debian packages

In Debian and all other systems with apt and dpkg you can save a list with manually installed packages on your system. This can help you set up a new server faster or make the re-installation less a pain.

To save a list, run this:

dpkg --get-selections > ~/my-packages

To install all of them again, run this:

apt-get update
dpkg --set-selections < ~/my-packages
apt-get install --yes dselect
dselect update
apt-get dselect-upgrade

This of course should all be done as root. If you used special repositories and you need them to install all the packages, you must also make a backup of /etc/apt/sources.list.

© 2017 netmess

Theme by Anders NorenUp ↑