Defenses
from DNS-based Reconnaissance
¨Do not include HINFO
or TXT records
¨Restrict zone
transfers to secondary DNS only
–“allow-transfer”
directive or “xfernets” in BIND
¨Configure firewall
or external router to allow access to TCP
port 53 only to secondary DNS servers
–No restriction on UDP
port 53
¨Split-Horizon
DNS