DNS software is a popular target for hackers and can cause security problems. This article introduces 10 of the most effective ways to secure DNS servers.
⑴ Use the DNS forwarder
A DNS forwarder is a DNS server that performs DNS queries for other DNS servers. The main purpose of using a DNS forwarder is to reduce processing pressure on the DNS server by forwarding queries from the DNS server to the forwarder, taking advantage of the DNS forwarder’s potentially larger DNS cache.
Another benefit of using a DNS forwarder is that it prevents the DNS server from forwarding query requests to DNS servers on the Internet. This is important if your DNS server keeps records of your internal domain’s DNS resources. Instead of having the internal DNS server perform recursive queries and communicate directly with the DNS server, use a forwarder to handle unauthorized requests.
⑵ Use the buffer-only DNS server
Only the buffered DNS server is for authoritative domain names. It is used as a recursive query or via a redirect. When the buffered DNS server receives a response, it caches the result and then sends the result back to the system that requested the DNS query. Only DNS server buffering can accumulate large numbers of DNS comments over time, which can drastically reduce the time it takes to provide DNS answers.
Using buffer-only DNS servers as forwarders under your administrative control can improve your organization’s security. The internal DNS server can use the buffer-only DNS server as a forwarder, and the buffer-only DNS server can do recursive queries instead. from your internal DNS server. Using your own buffer-only DNS server as a forwarder can improve security because you don’t have to trust your ISP’s DNS server as a forwarder, especially if you can’t confirm the security of your ISP’s DNS. servers.
⑶ Use the DNS advertisers
A DNS advertiser is a DNS server that resolves queries in the domain. For example, if your host is a publicly available resource for domain.com and corp.com, your public DNS server should configure DNS zone files for domain.com and corp.com.
DNS advertisers that are not DNS zone file hosted DNS servers are configured such that DNS advertisers only answer queries for their authoritative domain names. This DNS server does not recursively query other DNS servers. This prevents users from using your public DNS server to resolve other domains. Increased security by reducing the risks associated with running a public DNS resolver, including cache poisoning.
⑷ Use the DNS resolver
A DNS resolver is a DNS server that can perform recursive queries and resolve authoritative domain names. For example, you can have a DNS server on your internal network and authorize the DNS server for the internal network’s domain name internalcorp.com. Clients on the network use this DNS server to resolve TechRepublic.com, this DNS server performs recursion by querying other DNS servers for answers.
The difference between a DNS server and a DNS resolver is that a DNS resolver only resolves Internet hostnames. The DNS resolver can be a caching-only DNS server with a rogue DNS domain name. You can make the DNS resolver available only to internal users or only to external users, so you don’t have to set up an external DNS server where you can’t control it, improving security. Of course, you can also let internal and external users use the DNS resolver.
⑸ Protects DNS from cache contamination
DNS cache contamination has become an increasingly common problem. Most DNS servers can cache the results of DNS queries before responding to the querying host. DNS caching can significantly improve the performance of DNS queries in your organization. The problem is that if your DNS server’s cache is “contaminated” with lots of incorrect DNS information, users can be directed to a malicious website instead of the website they intended to visit.
Most DNS servers can be configured to prevent cache contamination. Windows Server 2003 default DNS server settings prevent cache contamination. If you are using a Windows 2000 DNS server, you can configure it by opening the DNS Server Properties dialog box. and clicking the Advanced table. Select the Prevent cache contamination option, and then restart the DNS server.
⑹ Make DDNS use only secure connections
Many DNS servers accept dynamic updates. The dynamic update feature allows these DNS servers to register the host’s hostname and IP address via DHCP. DDNS can significantly reduce administration costs for DNS administrators who would otherwise have to manually configure DNS resource records for these hosts.
However, unrecognized DDNS updates can cause serious security problems. A malicious user can configure the host as a dynamically updated DNS host record for a file server, web server, or database server, and anyone attempting to connect to those servers will be ported to another computer.
You can reduce the risk of malicious DNS updates by requiring secure connections to DNS servers to perform dynamic updates. It’s easy to do by configuring your DNS server to use Active Directory-integrated zones and requesting secure dynamic updates. This allows all members of the domain to securely and dynamically update their DNS information.
⑺ Disable zone transfer
Zone transfer takes place between the master DNS server and the slave DNS server. The master DNS server authorizes specific domain names and comes with a rewritable DNS zone file that can be updated as needed. The slave DNS server gets read-only copies of these zone files from the primary DNS server. Secondary DNS servers are used to improve response performance to DNS queries from internal or Internet sources.
Zone transport isn’t just for slave DNS servers, though. Anyone who can issue a DNS query request can effect a change to the DNS server configuration that allows a zone transfer to download its own zone database files. Malicious users can use this information to spy on naming schemes in your organization and attack critical service architectures. You can prevent this by configuring your DNS server to disable zone transfer requests or only allow zone transfers to specific servers in your organization.
⑻Use the firewall to control DNS access
Firewalls can be used to control who can connect to your DNS server. For DNS servers that only respond to queries from internal users, you must configure a firewall to prevent external hosts from connecting to those DNS servers. For a DNS server that only uses cache forwarding, you must configure the firewall to only allow queries from a DNS server that only uses cache forwarding. An important part of firewall policy configuration is to prevent internal users from using the DNS protocol to connect to the external DNS server.
⑼ Establish access control in the DNS registry
On a Windows-based DNS server, you should set access controls on the registry associated with the DNS server so that only the accounts that need access can read or change those registry settings.
The HKLMCurrentControlSetServicesDNS access key should only allow administrators and the system account, the account should have full control.
⑽ Set access control at the DNS file system entry
On a Windows-based DNS server, you should set access controls on the file system record associated with the DNS server so that only accounts that need access can read or modify files.
Only the system account should have access to the DNS folder %system_directory% and its subfolders, which should have full control rights.