DNS servers have been a favorite target for internet vandals for quite some time. Consider the fact that if I could compromise the DNS server that you are using, I could fool you into thinking that my computer is any other computer. I could build a web-site just like your bank's and maybe collect account numbers and pins. If I compromise your company's DNS server I could affect business severely. It is important to make your DNS server as secure as possible.

The following steps will help secure your DNS server:

• Avoid running the named daemon as root.
• Run the named daemon in a chrooted environment, sometimes called a chroot jail.
• Promptly apply security patches.
• Log DNS activity and review the logs.
• Use transaction signature keys to control transfers and updates.

Fortunately, with the newer versions of DNS these steps are easier to accomplish than with earlier versions. The named daemon can be started with command line parameters that will effect the chroot jail and run the daemon as the desired user. The following command will run the daemon as user "named" locked into /var/named. "/usr/sbin/named -u named -t /var/named". An added measure of protection would be to make /var/named a filesystem. That way if the named daemon is exploited the damage will be contained to /var/named and will not affect the OS or health of the server other than the named process.

The following steps are required to chroot named:

• Create named user and chroot jail.
• Make directories within the jail for etc, zones, logs
• Copy named.conf to ~named/etc
• Edit ~named/etc/named.conf making entries reflect that ~named is "/"
• Copy zone data to ~named/zones.
• Set perms such that named can read everything and write logs and updates.
• The daemon will log using UTC time unless you copy timezone information to the jail and that will vary depending on platform. For Solaris, copy the appropriate file from /usr/share/lib/zoneinfo to the same path within the chroot jail along with /etc/TIMEZONE to ~named/etc.
• Finally, modify the named startup script to specify the chroot jail and named user as described earlier.

  Consult the administrator's reference at www.isc.org for additional details.