Domain Name System (DNS) provides security options to limit outside access to your server.
Securing your DNS server is essential. In addition to the security considerations in this topic, DNS security and iSeries™ security are covered in a variety of sources including iSeries and the Internet in the information center. The book DNS and BIND also covers security related to DNS.
DNS uses address match lists to allow or deny outside entities access to certain DNS functions. These lists can include specific IP addresses, a subnet (using an IP prefix), or using Transaction Signature (TSIG) keys. You can define a list of entities to which you want to allow or deny access in an address match list. If you want to be able to reuse an address match list, you can save the list as an access control list (ACL). Then whenever you need to provide the list, you can call the ACL and the entire list will be loaded.
The first element in an address match list that a given address matches is used. For example, to allow all addresses on the 10.1.1.x network except 10.1.1.5, the match list elements must be in the order (!10.1.1.5; 10.1.1/24). In this case, the address 10.1.1.5 will be compared to the first element and will immediately be denied.
If the elements are reversed (10.1.1/24; !10.1.1.5), the IP address 10.1.1.5 will be allowed access because the server will compare it to the first element, which matches, and allow it without checking the rest of the rules.
DNS allows you to set limitations such as who can send dynamic updates to the server, query data, and request zone transfers. You can use ACLs to restrict access to the server for the following options: