Manage Learn to apply best practices and optimize your operations.

How to protect DNS servers

The DNS database is the world's largest distributed database, but unfortunately, DNS was not designed with security in mind. Application security expert Michael Cobb explains how to keep a DNS server from being hijacked.

Some say DNS servers can be easily hijacked. Do you agree? What best practices should be put in place to protect...

DNS servers?

The Domain Name System (DNS) is the distributed database used to map domain names to IP addresses. DNS servers fulfil several functions, the most important probably being to translate human-readable computer hostnames, such as, into machine-readable IP addresses, like, which can be understood and used by networking equipment, computers and software programs. The DNS database is the world's largest distributed database, and unfortunately, DNS was not designed with security in mind.

As a network administrator, your task is to make it is as difficult as possible for attackers to compromise or hijack your DNS servers. If your DNS data is compromised, hackers can obtain information about your network that can be used to damage other Web services. For example, if attackers can change your DNS zone data, which includes domain names, computer names, and IP addresses for sensitive network resources, they can set up fake Web servers or cause email to be redirected to other servers.

To protect a server, first develop a DNS security policy. Decide what access your clients need and what data you most want to protect. It will help to review name-resolution traffic to see which clients can query which servers. Then decide what level of security is needed, as there is a trade-off between security and performance. If Internet connectivity is not required, DNS servers can be made much more secure. In this scenario, your network only requires an internal DNS root and namespace, and all authority for DNS zones is internal. It's unlikely, however, that you are in this position.

I would recommend locating DNS servers behind a separate firewall that isn't connected to your network. Because there is no direct connection, this arrangement protects your network should one of your DNS servers be compromised.

If the budget allows, configure a third DNS server to act as the master DNS server. The master would not have a public IP address and would be configured to only talk to the two forward-facing secondary DNS servers. Since the DNS information on the master server can't be directly changed, any unauthorized changes on the secondary servers would only last until the next time they receive an update from the master. All updates should be sent only via a secure connection.

Beyond simply using firewalls to control DNS access, you should also set access controls on DNS registry entries and file system entries.

For more information about DNS vulnerabilities, I recommend reading RFC 3822, which is a threat analysis of the Domain Name System. There's also, DNSSEC (DNS Security Extensions), a set of extensions that aim to improve the security of DNS. DNSSEC modifies DNS to add support for cryptographically signed responses. There are various other extensions to support the security of zone transfer information as well.

Even encryption doesn't prevent the possibility that a DNS server could become infected with a virus, so server hardening is a key step to protecting them. Finally, the resources at can test a given domain and provide comprehensive information about possible DNS security issues.

More on this topic

  • Learn about one of the DNS worms that took advantage of a Microsoft flaw last year.
  • Ed Skoudis explains how to avoid DNS amplification attacks. .


This was last published in February 2008

Dig Deeper on Data security strategies and governance