Defenses from DNS-based Reconnaissance
¨Do not include HINFO or TXT records
¨Restrict zone transfers to secondary DNS only
–“allow-transfer” directive or “xfernets” in BIND
¨Configure firewall or external router to allow access to TCP port 53 only to secondary DNS servers
–No restriction on UDP port 53
¨Split-Horizon DNS
¨