Infrastructure Security: System Hardening • Chapter 8  505


                      ■  Protection of the server file system
                      ■  Isolation of the FTP directories
                      ■  Positive creation of authorization and access control rules

                      ■  Regular review of logs
                      ■  Regular review of directory content to detect unauthorized files and usage


                 DNS Servers

                 Hardening DNS servers consists of performing normal OS hardening, and then
                 considering the types of control that can be done with the DNS service itself. Older
                 versions of BIND DNS were not always easy to configure, but current versions run-
                 ning on Linux and UNIX platforms can be secured relatively easily. Microsoft’s ini-
                 tial offering of DNS on NT was plagued with violations of their integrity, making
                 internetwork attacks much easier to accomplish, since information about the
                 internal network was easy to retrieve. By default,Windows 2003 prevents zone
                 transfer operations to machines that are not approved to request such information,
                 thus better protecting the resources in the zone files from unauthorized use.
                    When hardening a DNS server, it is important to restrict zone transfers so that
                 they will not be made to unauthorized or rogue servers.
                    Zone transfers should only be made to designated servers.Additionally, those
                 users who may successfully query the zone records with utilities such as
                 NSLookup, should be restricted via the ACL settings. Zone files contain all records
                 of a zone that are entered, therefore, an unauthorized entity that retrieves the
                 records has retrieved a record of what is generally the internal network, with host-
                 names and IP addresses.
                    There are records within a DNS server that can be set for individual machines.
                 These include HINFO records, which generally contain descriptive information
                 about the OS and features of a particular machine. HINFO records were used in
                 the past to track machine configurations when all records were maintained stati-
                 cally, and were not as attractive a target as they are today.A best practice in this case
                 would be to not use HINFO records in the DNS server.Attackers attempt zone
                 transfers by using the following command: First, by typing nslookup from the com-
                 mand line, next the target servers DNS server addresses is entered, server <ipaddress>
                 then the set type=any command is entered. Finally, the ls -d target.com is entered to
                 try and force the zone transfer. If successful, a list of zone records will follow.






                                                                              www.syngress.com