7.1 Introduction

Name server security is no great mystery. It's largely a matter of understanding the services a name server provides, then making sure it provides them only to authorized entities. Most name servers provide authoritative name service, recursive name service, and zone transfers, and some handle dynamic updates, too. Typically, you'll want to limit a name server to:

• Accepting recursive queries from the resolvers that are authorized to use it

• Accepting any nonrecursive queries in zones it's authoritative for

• Providing zone transfers only to authorized slaves

• Accepting dynamic updates only from authorized updaters

There are also a few operating system-level precautions you can take, such as running a name server in a chroot( ) "jail" and running it as a user other than root.

The trick, then, is identifying who's authorized to use the name server's services, and configuring the name server to enforce the necessary restrictions. This chapter helps you do both.