Securing the BIND DNS server

Two articles have been written, the focus of updates is on the v9 paper:

  1. Hardening BIND v8: bind_hardening8.html
  2. Running BIND v9 DNS Server securely: bind9_20010430.html

The Bind V9 paper walks through compiling, installing and configuring a chroot'ed BIND v9 on Solaris 2.6 and 8. It also presents examples of advanced topics such as TSIGs and dynamic updates. It is specific to version 9 but aims to help existing BIND 8 administrators realize what is involved in migrating to v9.

Although originally written in 2001, information may still be relevant to you, I no longer have productive Solaris servers - everything on Liinux these days.

Update 2012:

  • If installing Bind from scratch now, I'd suggest using firewalled Debian or Ubuntu LTS as the base OS with the standard packages and regular updates.
  • I've used several products in the years since the artciles above were written: Products  like PowerDNS with its DB backends for more complex sites and dnsmasq for smallish organisations.
  • More recent reading: Wikipedia, The measurement factory, the O'Reilly book has been updated for IPv6 too.