15.4 Best Practices

  • It is preferable to run the DNS server installation process with the YaST tool. For details on the DNS Server installation process, see Section 11.0, Installing and Configuring DNS

  • During the DNS server installation ensure that the Use secure channel for configuration option is selected. This ensures that the authentication mechanism is secured.

  • To load novell-named with the -t (chroot) option, make sure that the following directories are created under the chroot directory with permissions to the user specified with the -u option:

    • The configuration file directory - /etc/opt/novell/named

    • The log file directory - /var/opt/novell/log/named

    • The pid directory - /var/opt/novell/run/named

  • By default novell-named is loaded by using the existing non-root user, which is named. You should load novell-named with the -u<non-root user> option.

  • It is recommended to load named with a log level specific for your needs. For more details, see Section 13.3, novell-named Command Line Options

  • You should configure Apparmor profiles for novell-named according to your needs. The default profile is stored at /etc/apparmor.d/opt.novell.named.bin.novell-named and includes only minimal configuration.

    After making changes to the profile, reload Apparmor with the rcapparmor command.

  • Zone security factors: To secure DNS, BIND provides different options. This includes IP-based access control and secure queries using Keys (recommended). The allow-query option is used to restrict queries to a particular set of hosts or keys.

    • For non-authoritative zones (zones not served by the server, so the responses are cached), restrict the query access at the server level (using allow-query) to your own network.

    • For authoritative zones (zones served by the server), access can be restricted either to your local network or to any other network.

    NOTE:Restrict DNS zone transfers to only the servers that absolutely need it.