Q

Best practices for managing DNS, knowing it's anything but trustworthy

Since the DNS cache-poisoning flaw was exposed, DNS security has come under scrutiny. Security management expert Mike Rothman explains where DNS security should live within the risk matrix.

This Content Component encountered an error
What would you say are some best practices for managing DNS now that we know that it's anything but trustworthy? More specifically, where should DNS security live within the average enterprise's risk matrix?
If there is anything that Dan Kaminsky's research on how to break the DNS has shown, it's that organizations are pretty exposed. But security pros need to understand there are a few things that can be done to mitigate the risk. The first practice is to make sure the company's DNS server practices source-port randomization. This doesn't totally solve the Kaminsky DNS attack, but it makes it hard enough (and costly enough) to largely mitigate the risk.

That means the DNS server must be patched, or the company should upgrade to a more robust server infrastructure. One possibility is DNSSEC, which the U.S. federal government just deployed, but that is pretty complicated.

Another important thing is to make sure that all upstream ISPs have their act together. Even if the company's system is fine, dealing with any compromised name servers is disastrous.

In terms of where the responsibility of DNS security should reside, that depends on what kind of operational responsibilities the security team has. Many security teams these days are more influencers than implementers, which means they need to work with the organization's network team, which would actually deploy any remediation.

More information:

This was first published in July 2008

Dig deeper on Emerging Information Security Threats

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close