LX0-104 · Question #378
Which of the following can be done to secure a BIND server? (Select THREE correct answers)
The correct answer is A. Run the BIND daemon as a nonroot user. B. Configure ACLs. D. Run the BIND daemon in a chroot jail. Securing a BIND server involves reducing its attack surface and limiting its capabilities, such as running it as an unprivileged user within a chroot jail and restricting access with ACLs.
Question
Options
- ARun the BIND daemon as a nonroot user.
- BConfigure ACLs.
- CRequire clients to authenticate with a password before querying the server.
- DRun the BIND daemon in a chroot jail
- EEncrypt DNS traffic using SSL/TLS.
How the community answered
(59 responses)- A95% (56)
- C2% (1)
- E3% (2)
Why each option
Securing a BIND server involves reducing its attack surface and limiting its capabilities, such as running it as an unprivileged user within a chroot jail and restricting access with ACLs.
Running the BIND daemon (named) as a non-root, unprivileged user limits the damage an attacker could inflict if they compromise the DNS server process, preventing them from gaining full system control.
Configuring Access Control Lists (ACLs) within BIND allows administrators to specify which hosts or networks are permitted to query the server, perform zone transfers, or update records, thus restricting unauthorized access.
Standard DNS clients do not authenticate with passwords for querying a server; while DNSSEC provides data origin authentication and integrity, general client queries are not password-authenticated.
Running the BIND daemon in a chroot jail confines the process to a specific directory tree, preventing it from accessing or modifying files outside that designated environment even if it is compromised, significantly limiting the scope of a potential breach.
While DNS over TLS (DoT) or DNS over HTTPS (DoH) can encrypt DNS traffic, this secures the transport rather than the BIND server's internal hardening against compromise or unauthorized access, and is not a typical configuration option for BIND security itself.
Concept tested: BIND server security best practices (privilege, access, containment)
Source: https://www.isc.org/docs/BIND_AdminRef_2_2.pdf
Topics
Community Discussion
No community discussion yet for this question.