tailieunhanh - Securing an Internet Name Server: CERT® Coordination Center
While it is important for network administrators to secure any host connected to the Internet, they must give name servers special consideration due to the important role they play. The purpose of this document is to outline some common steps that can be taken to secure an Internet Name Server from various types of attacks. Run a new version of your name server software As with any piece of software, name server software evolves with each release. Virtually all older name servers have widely known vulnerabilities that can be exploited. Vulnerabilities that appear in one version are usually fixed in subsequent releases | Note This is an historic document. We are no longer maintaining the content but it may have value for research purposes. Pages linked to from the document may no longer be available. Securing an Internet Name Server CERT Coordination Center Allen Householder CERT CC Brian King CERT Cc In collaboration with Ken Silva Verisign Based in part on a presentation originally created by Cricket Liu August 2002 CERT and CERT Coordination Center are registered in the . Patent and Trademark Office. Copyright 2002 Carnegie Mellon University DNS overview Domain name system DNS servers translate names suitable for use by people such as into network addresses . suitable for use by computers. There are a number of different name server software packages available today. Berkeley Internet Name Domain BIND produced by the Internet Software Consortium http is the most widely deployed name server package and is available on a wide variety of platforms. Other popular DNS packages include Microsoft DNS and djbdns. The goal of this document is to discuss general name server security. However in order to provide useful examples we have chosen to focus on BIND since it is the most commonly used software for DNS servers. Risks to name servers Name servers exposed to the Internet are subject to a wide variety of attacks Attacks against the name server software may allow an intruder to compromise the server and take control of the host. This often leads to further compromise of the network. Denial of service attacks even one directed at a single DNS server may affect an entire network by preventing users from translating hostnames into the necessary IP addresses. Spoofing attacks that try to induce your name server to cache false resource records and could lead unsuspecting users to unsavory sites. Information leakage from a seemingly innocent zone transfer could expose internal network topology information that can be used to plan further .
đang nạp các trang xem trước