Maintaining a backup DNS server is an example of prudent planning, even if you don’t run a major website. With backup DNS, you can ensure the timely delivery of your e-mail if your server should ever go down, or if you use an external e-mail service such as Google Apps. It will also give your visitors an entirely different error message when your site is down– a connection failure message as opposed to your site not being found.

Backup DNS servers are quite easy to set up. You can use one of the many backup services on the Internet, or you can arrange your own backup servers, configuring the zone files appropriately. But one of the most important adjustments that needs to be made is often overlooked: adjustment of your named.conf file, which controls your nameserver, which in turn is the heart of your server.

It is important to pay attention to this adjustment, because if your named.conf file is not configured correctly, you could be exposing your zone files to prying eyes. These zone files contain all the technical information for your website, and in the wrong hands, combined with access to your registrar, could cause severe security issues.

Locate your named.conf file (/etc/named.conf), and open your favourite text editor. Look for these lines, which should be at the top of the file, in the options stanza.

allow-transfer { XXX.XXX.XXX.XXX; };
allow-recursion { localnets; };

What you’ll be doing is allowing a zone file transfer, and you’ll notice in the brackets is room for an IP number. This will be the IP number of the server that will be holding your backup DNS files. If you’ll have multiple backup servers, then separate the IP numbers by semicolons.

Conversely, you can use this feature to lock down your server, preventing any server from transferring your zone files, if you don’t expect to have a backup DNS service. In that event, simply place the word “none” in between the brackets, as shown below:

allow-transfer { “none”; };

The value of a backup DNS server is great, but the value of a secure server is even greater. By limiting the IP numbers that can have access to your zone files, you will help ensure the total security of your server. It’s imperative to switch this value to either “none,” or associated IP addresses, because the default is to allow all servers to be able to transfer your zone files, and from a security standpoint, that is not a wise choice at all.