The domain name service (DNS) performs a critical function on the Internet -- it allows the translation of human-friendly domain names into machine-friendly IP addresses. However, it's also one of the most common sources of network-security vulnerabilities in use today. In fact, it was selected as the ninth worst security vulnerability in existence on the SANS Top 20 Vulnerabilities list.
There are a few simple steps that you can take to protect your DNS servers from attack:
- Keep your DNS version current. This is the single most important step that you can take. There are well-known vulnerabilities in older versions of the Berkeley Internet Name Domain (BIND) system and other DNS packages. Patches are available to eliminate these vulnerabilities, but they're only effective if they're installed! It's essential that you stay on top of this issue. One way of keeping yourself informed is to monitor CERT advisories.
- Lock down the DNS server OS. The standard security procedures that you'd apply to any server should also be applied to your DNS server. Remove unnecessary services, keep the operating system security patches current and ensure that the principle of least privilege is enforced.
- Diversify your DNS servers. Many DNS attacks are denial-of-service attacks that seek to prevent others from resolving your domain names. To minimize the effectiveness of these attacks, ensure that you have multiple backup DNS servers in different locations (both geographic location and logical location). If you don't have the organizational resources to provide those locations, you might want to consider asking your ISP to provide backup DNS services. Many will do this at low or no cost for corporate clients.
- Ensure your DNS servers are in an appropriate location within your network topology. You'd be surprised how many organizations consider DNS a low-risk service and place it outside the firewall -- this couldn't be further from the truth. Your DNS server should be placed in your DMZ and provided the full protection of the firewall. Block unwanted traffic before it even reaches your machine and poses a threat.
- Restrict the operations that may be performed on your server. Depending upon your DNS requirements, you should restrict the types of queries that may be performed on your server and the locations they should be accepted from. For example, you may wish to disable zone transfers from unknown hosts. You might also want to restrict users outside your organization from looking up domain names for which your server is not authoritative. Sit down and think about the appropriate uses of your server and craft your security measures so activity is limited to those appropriate uses.
Use these tips as a starting point. They'll certainly improve your security posture, but they won't provide a bulletproof defense. If you'd like to read more on DNS security, Cricket Liu of VeriSign has put together an excellent presentation entitled Securing an Internet name server. If you're interested in some of the higher-level approaches being considered, the Internet Corporation for Assigned Names and Numbers (ICANN) released a DNS security update in January 2002 that contains a number of suggestions for improving the security of the overall DNS system.
About the author
Mike Chapple, CISSP, currently serves as Chief Information Officer of the Brand Institute, a Miami-based marketing consultancy. He previously worked as an information security researcher for the U.S. National Security Agency. His publishing credits include the TICSA Training Guide from Que Publishing, the CISSP Study Guide from Sybex and the upcoming SANS GSEC Prep Guide from John Wiley. He's also the About.com Guide to Databases.