BIND9

Make sure the Bind is running with non-root account

ps aux | grep bind | grep -v '^root'

Set Proper Permissions and Ownership

chown -R root:bind /etc/bind
chown root:bind /etc/bind/named.conf*
chmod 640 /etc/bind/named.conf*

Change / Remote Version Banner

Edit using VI, the file /etc/bind/named.conf.options and add the following settings under the “Options” section:

Add the line below to replace DNS version banner:

version "Secured DNS server";

In order to test, run the command below:

dig +short @localhost version.bind chaos txt

Set Query & zone transfer Restrictions

Edit using VI, the file /etc/bind/named.conf.options and add the following settings under the “Options” section:

Add the line below to restrict recursive queries to trusted clients:

allow-recursion { localhost; 192.168.0.0/24; };

Replace 192.168.0.0/24 with the trusted internal segments and subnet mask.

In-order to test, run the command below:

nslookup www.google.com

Add the line below to restrict query origins to trusted clients:

allow-query { localhost; 192.168.0.0/24; };

Replace 192.168.0.0/24 with the trusted internal segments and subnet mask.

Add the line below to Nameserver ID:

server-id none;

Add the line below to restrict which hosts can perform zone transfers:

allow-transfer { 192.168.1.1; };

Replace 192.168.1.1 with the trusted DNS server.

Add the line below to restrict the DNS server to listen to specific interfaces:

listen-on port 53 { 127.0.0.1; 192.168.1.1; };

Replace 192.168.1.1 with the IP address of the DNS server.

Restart the DNS daemon:

service bind9 restart

Setup DNSSEC