ibm-information-center/dist/eclipse/plugins/i5OS.ic.rzakk_5.4.0.1/rzakkplanningsecurity.htm

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html
  PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en-us" xml:lang="en-us">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="security" content="public" />
<meta name="Robots" content="index,follow" />
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
<meta name="DC.Type" content="reference" />
<meta name="DC.Title" content="Plan security measures" />
<meta name="abstract" content="Domain Name System (DNS) provides security options to limit outside access to your server." />
<meta name="description" content="Domain Name System (DNS) provides security options to limit outside access to your server." />
<meta name="DC.Relation" scheme="URI" content="rzakkplanning.htm" />
<meta name="DC.Relation" scheme="URI" content="rzakkconceptbind.htm" />
<meta name="DC.Relation" scheme="URI" content="../rzaj4/rzaj4secoverview.htm" />
<meta name="copyright" content="(C) Copyright IBM Corporation 2004, 2006" />
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 2004, 2006" />
<meta name="DC.Format" content="XHTML" />
<meta name="DC.Identifier" content="rzakkplanningsecurity" />
<meta name="DC.Language" content="en-us" />
<!-- All rights reserved. Licensed Materials Property of IBM -->
<!-- US Government Users Restricted Rights -->
<!-- Use, duplication or disclosure restricted by -->
<!-- GSA ADP Schedule Contract with IBM Corp. -->
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
<link rel="stylesheet" type="text/css" href="./ic.css" />
<title>Plan security measures</title>
</head>
<body id="rzakkplanningsecurity"><a name="rzakkplanningsecurity"><!-- --></a>
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
<h1 class="topictitle1">Plan security measures</h1>
<div><p>Domain Name System (DNS) provides security options to limit outside
access to your server.</p>
<div class="section"><p>Securing your DNS server is essential. In addition to the security
considerations in this topic, DNS security and iSeries™ security are covered in a variety
of sources including iSeries and the Internet in the information center.
The book DNS and BIND also covers security related to DNS.</p>
</div>
<div class="section"><h4 class="sectiontitle">Address match lists</h4><p>DNS uses address match lists
to allow or deny outside entities access to certain DNS functions. These lists
can include specific IP addresses, a subnet (using an IP prefix), or using
Transaction Signature (TSIG) keys. You can define a list of entities to which
you want to allow or deny access in an address match list. If you want to
be able to reuse an address match list, you can save the list as an access
control list (ACL). Then whenever you need to provide the list, you can call
the ACL and the entire list will be loaded.</p>
</div>
<div class="section"><h4 class="sectiontitle">Address match list element order</h4><p>The first element
in an address match list that a given address matches is used. For example,
to allow all addresses on the 10.1.1.x network except 10.1.1.5, the match
list elements must be in the order (!10.1.1.5; 10.1.1/24). In this case, the
address 10.1.1.5 will be compared to the first element and will immediately
be denied.</p>
<p>If the elements are reversed (10.1.1/24; !10.1.1.5), the
IP address 10.1.1.5 will be allowed access because the server will compare
it to the first element, which matches, and allow it without checking the
rest of the rules.</p>
</div>
<div class="section"><h4 class="sectiontitle">Access control options</h4><p>DNS allows you to set limitations
such as who can send dynamic updates to the server, query data, and request
zone transfers. You can use ACLs to restrict access to the server for the
following options:</p>
<dl><dt class="dlterm">allow-update</dt>
<dd>In order for your DNS server to accept dynamic updates from any outside
sources, you must enable the allow-update option.</dd>
<dt class="dlterm">allow-query</dt>
<dd>Specifies which hosts are allowed to query this server. If not specified,
the default is to allow queries from all hosts.</dd>
<dt class="dlterm">allow-transfer</dt>
<dd>Specifies which hosts are allowed to receive zone transfers from the server.
If not specified, the default is to allow transfers from all hosts.</dd>
<dt class="dlterm">allow-recursion</dt>
<dd>Specifies which hosts are allowed to make recursive queries through this
server. If not specified, the default is to allow recursive queries from all
hosts.</dd>
<dt class="dlterm">blackhole</dt>
<dd>Specifies a list of addresses that the server does not accept queries
from or use to resolve a query. Queries from these addresses will not be responded
to.</dd>
</dl>
</div>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="rzakkplanning.htm" title="Domain Name System (DNS) offers a variety of solutions. Before you configure DNS, it is important to plan how it works within your network. Subjects, such as network structure, performance, and security, should be assessed before you implement DNS.">Plan for Domain Name System</a></div>
</div>
<div class="relconcepts"><strong>Related concepts</strong><br />
<div><a href="../rzaj4/rzaj4secoverview.htm">iSeries and the Internet security</a></div>
</div>
<div class="relref"><strong>Related reference</strong><br />
<div><a href="rzakkconceptbind.htm" title="Besides dynamic updates, BIND 8 offers several features to enhance performance of your Domain Name System (DNS) server.">BIND 8 features</a></div>
</div>
</div>
</body>
</html>