The domain name service (DNS) performs a critical function on the Internet -- it allows the translation of human-friendly domain names into machine-friendly IP addresses. However, it's also one of the most common sources of network-security vulnerabilities in use today. In fact, it was selected as the ninth worst security vulnerability in existence on the

    Requires Free Membership to View

SANS Top 20 Vulnerabilities list.

There are a few simple steps that you can take to protect your DNS servers from attack:

  1. Keep your DNS version current. This is the single most important step that you can take. There are well-known vulnerabilities in older versions of the Berkeley Internet Name Domain (BIND) system and other DNS packages. Patches are available to eliminate these vulnerabilities, but they're only effective if they're installed! It's essential that you stay on top of this issue. One way of keeping yourself informed is to monitor CERT advisories.

  2. Lock down the DNS server OS. The standard security procedures that you'd apply to any server should also be applied to your DNS server. Remove unnecessary services, keep the operating system security patches current and ensure that the principle of least privilege is enforced.

  3. Diversify your DNS servers. Many DNS attacks are denial-of-service attacks that seek to prevent others from resolving your domain names. To minimize the effectiveness of these attacks, ensure that you have multiple backup DNS servers in different locations (both geographic location and logical location). If you don't have the organizational resources to provide those locations, you might want to consider asking your ISP to provide backup DNS services. Many will do this at low or no cost for corporate clients.

  4. Ensure your DNS servers are in an appropriate location within your network topology. You'd be surprised how many organizations consider DNS a low-risk service and place it outside the firewall -- this couldn't be further from the truth. Your DNS server should be placed in your DMZ and provided the full protection of the firewall. Block unwanted traffic before it even reaches your machine and poses a threat.

  5. Restrict the operations that may be performed on your server. Depending upon your DNS requirements, you should restrict the types of queries that may be performed on your server and the locations they should be accepted from. For example, you may wish to disable zone transfers from unknown hosts. You might also want to restrict users outside your organization from looking up domain names for which your server is not authoritative. Sit down and think about the appropriate uses of your server and craft your security measures so activity is limited to those appropriate uses.

Use these tips as a starting point. They'll certainly improve your security posture, but they won't provide a bulletproof defense. If you'd like to read more on DNS security, Cricket Liu of VeriSign has put together an excellent presentation entitled Securing an Internet name server. If you're interested in some of the higher-level approaches being considered, the Internet Corporation for Assigned Names and Numbers (ICANN) released a DNS security update in January 2002 that contains a number of suggestions for improving the security of the overall DNS system.

About the author
Mike Chapple, CISSP, currently serves as Chief Information Officer of the Brand Institute, a Miami-based marketing consultancy. He previously worked as an information security researcher for the U.S. National Security Agency. His publishing credits include the TICSA Training Guide from Que Publishing, the CISSP Study Guide from Sybex and the upcoming SANS GSEC Prep Guide from John Wiley. He's also the About.com Guide to Databases.


This was first published in April 2003

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.