DNS security

The security features included with DNSBOX100 are extremely comprehensive.

The system itself operates in a ‘sand box’ environment. Named is run chroot in a RAM disk which is mounted read-only. So, if the server is compromised, the RAM disk can't be damaged, but even if it is a reboot will rebuild it. In addition, all operating system partitions are mounted read-only at all times, except when being patched.

When using DNSBOX100 (slave) along side DNSBOX300 (master), significant DNS security bonuses are available. A secure VPN tunnel can easily be configured between the units, so all traffic passing between them is encrypted. This is ideal in environments where the slave units are exposed to the outside world, as the primary can be kept inside your secure network with only the IPSEC tunnel connecting them. This goes one step further than DNSSEC and TSIG, and ensures that only secure, authenticated masters can update them.

When working with 3rd party DNS solutions we offer TSIG support to validate DNS changes to the slave records. This ensures that updates are coming from a trusted master.

There are some security concerns to be taken into account when running a recursive resolver, usually regarding possible pollution of the cache. We offer configuration of the recursive resolver to permit usage to only certain subnets. You can also configure DNSBOX100 to resolve all queries itself, or to refer them to a parent.

• 
•