| · | DNS security
|
| · | Prevent DNS spoofing (a.k.a. "cache poisoning")
|
| DNS spoofing is a term used for malicious cache poisoning where forged data is placed in a DNS server's cache.
|
| Spoofing attacks can cause serious security problems, for example causing users to be directed to wrong web sites or e-mail being routed to non-authorized mail servers.
|
| When this option is checked, all records in received DNS answers are checked for authority, and records for which the answering DNS server does not have authority are ignored.
|
| Unfortunately, by ignoring these (potentially dangerous) records, additional processing is often necessary to locate records from confirmed sources, and so it can take longer to answer a request.
|
| This option should always be enabled on Internet DNS servers, but in closed environments such as Intranets, security may not be a concern and performance can be increased by disabling it.
|
|
|
| · | Ignore UDP packets originating from port zero
|
| Port scanner software is known to send network packets originating from port zero. A normal DNS client or server would never do this, so such a packet is a strong indication that a hacker is at work.
|
| You may need to disable this option if for example you are running some type of monitoring software that also sends requests from port zero.
|
|
|
| · | Detect and close Telnet connections
|
| Hackers sometimes use a telnet client to connect to open server TCP ports, to see if they can get some type of response or perhaps crash the server by sending it junk data. With this option enabled, Simple DNS Plus will detect most of these connections, close them down, and log the events.
|
|
|
| · | Respond to BIND version requests
|
| Since many Internet DNS servers are running some version BIND (mainly Unix DNS server), hackers often initiates an attack by sending a special request for the BIND software version number.
|
| They can then compare the response with a list of known vulnerabilities for that particular version of the BIND software and launch the actual attack.
|
| With this option enabled, Simple DNS Plus will respond to such BIND version requests with a text string of your choice.
|
| When this option is not enabled, Simple DNS Plus will respond to BIND versions requests with a "not implemented" error message.
|
| A warning is always logged for BIND version requests.
|
| On Windows NT/2000/XP/2003, you can test by entering the following at a command prompt:
|
| NSLOOKUP -class=CHAOS -type=TXT version.bind <dns-server-ip-address>
|
|
|
| · | Maximum simultaneous inbound TCP connections
|
| A hacker may try to open a lot of TCP connections to exhaust server resources.
|
| Use this option to limit the total number of simultaneous inbound TCP connections Simple DNS Plus will accept. When this number of connections has been reached additional connection attempts are logged and then rejected.
|
|
|
| · | Maximum recursive DNS requests to resolve simultaneously
|
| Specifies the maximum number of recursive requests to resolve at the same time.
|
|
|
| · | Automatic SPF records
|
|
|
| · | Synthesize missing SPF records for local domains
|
| Using this option you can provide SPF records for all domain names on your server without having to setup and maintain SPF records separately for every single domain name.
|
| If you need to provide unique SPF records for certain domain names, you can still setup individual SPF records for those names. This function only kicks in when there are no SPF records defined for a domain name already.
|
|
|
| IMPORTANT: When enabling this option, SPF records are synthesized for records in ALL local zones including secondary zones.
|
| These synthesized records are provided in responses to standard DNS lookups for TXT-records only - they are NOT provided in zone transfers to secondary DNS servers. Therefore you you make sure to configure this option the same way on any secondary DNS servers for your domain names.
|
|
|
| Please note that this function is automatically disabled for requests for any domain name containing the underscore (_) character to avoid collision problems with special purpose names such as "_domainkey".
|
|
|
| SPF is a spam fighting method which uses DNS TXT-records to define which hosts are permitted so send e-mails for a domain. This works by defining a DNS TXT-record for the e-mail domain name containing codes specifying which hosts (e-mail servers) are permitted to send e-mail for the domain name. Other e-mail servers can lookup this record when receiving an e-mail from an e-mail address with this domain name to verify that sending e-mail server is connecting from a permitted IP address. For details on SPF, please see http://spf.pobox.com
|
|
|
|
|