As a network administrator, your task is to make it is as difficult as possible for attackers to compromise or hijack your DNS servers. If your DNS data is compromised, hackers can obtain information about your network that can be used to damage other Web services. For example, if attackers can change your DNS zone data, which includes domain names, computer names, and IP addresses for sensitive network resources, they can set up fake Web servers or cause email to be redirected to other servers.
To protect a server, first develop a DNS security policy. Decide what access your clients need and what data you most want to protect. It will help to review name-resolution traffic to see which clients can query which servers. Then decide what level of security is needed, as there is a trade-off between security and performance. If Internet connectivity is not required, DNS servers can be made much more secure. In this scenario, your network only requires an internal DNS root and namespace, and all authority for DNS zones is internal. It's unlikely, however, that you are in this position.
I would recommend locating DNS servers behind a separate firewall that isn't connected to your network. Because there is no direct connection, this arrangement protects your network should one of your DNS servers be compromised.
If the budget allows, configure a third DNS server to act as the master DNS server. The master would not have a public IP address and would be configured to only talk to the two forward-facing secondary DNS servers. Since the DNS information on the master server can't be directly changed, any unauthorized changes on the secondary servers would only last until the next time they receive an update from the master. All updates should be sent only via a secure connection.
Beyond simply using firewalls to control DNS access, you should also set access controls on DNS registry entries and file system entries.
For more information about DNS vulnerabilities, I recommend reading RFC 3822, which is a threat analysis of the Domain Name System. There's also, DNSSEC (DNS Security Extensions), a set of extensions that aim to improve the security of DNS. DNSSEC modifies DNS to add support for cryptographically signed responses. There are various other extensions to support the security of zone transfer information as well.
Even encryption doesn't prevent the possibility that a DNS server could become infected with a virus, so server hardening is a key step to protecting them. Finally, the resources at www.dnsreport.com can test a given domain and provide comprehensive information about possible DNS security issues.
This was first published in February 2008