Securing BIND


BIND is an acryonym for the Berkeley Internet Name Domain. It is an implementation of Domain Name Service (DNS). If you don't have BIND 8.1.2 or later, upgrade now. Earlier releases of the 8.x series and pre 4.9.7 have a serious security problem. (CA-98.05)

Zone Transfers

BIND 8 gives the system administrator much more control than 4.x did. One valuable new feature is the ability to restrict zone transfers. Many of the new attack scripts will perform a zone transfer prior to probing your network. While host information can be learned through other means, restricting the zone transfer is another ounce of prevention.

Add an allow-transfer stanza to the options section of /etc/named.conf. Allow-transfer takes a list of IP addresses for parameters. This is what it may look like:

options {
        directory "/usr/local/named";   // directory for zone files

        allow-transfer {
      ;              // localhost
      ;               // secondary DNS server for my zone
This example allows zone transfers from localhost and All other requests are denied. If no hosts should be doing a zone transfer, there is a predefined value called none.


Log files for named, like any other service, are useful in determining if BIND is operating properly. I find the logs become more meaningful when you turn off cname and lame-server warnings. This can be done in the logging section of /etc/named.conf.

logging {
        category lame-servers { null; };
        category cname { null; };

Its good habit to tail the log file after sending named a HUP signal.

Testing The Changes

You can initiate a zone transfer with nslookup's ls command. It takes a domain as an argument.

foreign_host$ nslookup
Default Server:  localhost

> ls x.y.z
*** Can't list domain x.y.z: Query refused

More info

More information can be found at the BIND homepage.

Written by Brian Murphy
Last updated: 12.31.98