Ask the Expert

How to protect DNS servers

Some say DNS servers can be easily hijacked. Do you agree? What best practices should be put in place to protect DNS servers?

    Requires Free Membership to View

The Domain Name System (DNS) is the distributed database used to map domain names to IP addresses. DNS servers fulfil several functions, the most important probably being to translate human-readable computer hostnames, such as techtarget.com, into machine-readable IP addresses, like 65.214.43.49, which can be understood and used by networking equipment, computers and software programs. The DNS database is the world's largest distributed database, and unfortunately, DNS was not designed with security in mind.

As a network administrator, your task is to make it is as difficult as possible for attackers to compromise or hijack your DNS servers. If your DNS data is compromised, hackers can obtain information about your network that can be used to damage other Web services. For example, if attackers can change your DNS zone data, which includes domain names, computer names, and IP addresses for sensitive network resources, they can set up fake Web servers or cause email to be redirected to other servers.

To protect a server, first develop a DNS security policy. Decide what access your clients need and what data you most want to protect. It will help to review name-resolution traffic to see which clients can query which servers. Then decide what level of security is needed, as there is a trade-off between security and performance. If Internet connectivity is not required, DNS servers can be made much more secure. In this scenario, your network only requires an internal DNS root and namespace, and all authority for DNS zones is internal. It's unlikely, however, that you are in this position.

I would recommend locating DNS servers behind a separate firewall that isn't connected to your network. Because there is no direct connection, this arrangement protects your network should one of your DNS servers be compromised.

If the budget allows, configure a third DNS server to act as the master DNS server. The master would not have a public IP address and would be configured to only talk to the two forward-facing secondary DNS servers. Since the DNS information on the master server can't be directly changed, any unauthorized changes on the secondary servers would only last until the next time they receive an update from the master. All updates should be sent only via a secure connection.

Beyond simply using firewalls to control DNS access, you should also set access controls on DNS registry entries and file system entries.

For more information about DNS vulnerabilities, I recommend reading RFC 3822, which is a threat analysis of the Domain Name System. There's also, DNSSEC (DNS Security Extensions), a set of extensions that aim to improve the security of DNS. DNSSEC modifies DNS to add support for cryptographically signed responses. There are various other extensions to support the security of zone transfer information as well.

Even encryption doesn't prevent the possibility that a DNS server could become infected with a virus, so server hardening is a key step to protecting them. Finally, the resources at www.dnsreport.com can test a given domain and provide comprehensive information about possible DNS security issues.

More information:

  • Learn about one of the DNS worms that took advantage of a Microsoft flaw last year.
  • Ed Skoudis explains how to avoid DNS amplification attacks. .
  • This was first published in February 2008

    There are Comments. Add yours.

     
    TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

    REGISTER or login:

    Forgot Password?
    By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
    Sort by: OldestNewest

    Forgot Password?

    No problem! Submit your e-mail address below. We'll send you an email containing your password.

    Your password has been sent to: