DNS Security Tips
When it comes to your own DNS server implementation, there are a handful of questions you need to ask yourself. Your answers may differ from the next person's, but you need to at least ask them. You will be in a much better position to evaluate future threats and formulate a response if you can document your current DNS security posture and the trade-offs you may have had to make in a deployment.
- 1. How many authoritative name servers for your zone(s) do you have?
- Two is the de facto minimum, but more might be better.
- 2. Are your authoritative name servers and resolvers diverse both from a geographical and network perspective?
- They shouldn't all be in the same /24 or on the same physical LAN.
- 3. Do parent and child name servers agree on zone delegations?
- Things might work if they don't, but often sub-optimally.
- 4. Are your resolvers open to the entire world?
- If at all possible they shouldn't be.
- 5. Do your resolvers and zones have protection from answer spoofing?
- Investigate how well your resolvers and zones stand up to spoofing attacks.
- 6. Do you know when your registered names(s) will expire, who has access to make changes, and how a registrar can help protect from name theft?
- Many people don't think about this on a daily basis, so it's easy to forget.
- 7. What other services are running on your DNS servers?
- SSH and NTP are reasonable services, properly protected, to run on a DNS server, but do you really need FTP, HTTP, SMTP and Telnet?
- 8. How do people remotely administer your DNS servers?
- Even if your servers are locked down tight, never underestimate the power of SSH brute force guessing attacks or a remote admin's host having been compromised with a key logger installed. We see a lot of both.
- 9. How much memory (RAM) do you have installed and available on your DNS server?
- RAM is often the key resource limitation for many DNS servers. Have not just more than enough, have way more than enough.
- 10. Are you filtering TCP DNS queries?
- You probably shouldn't be. TCP isn't just for zone transfers.
- 11. Do you have the capability to see what queries are being asked and the overall DNS server health?
- Logging and statistics monitoring is also absolutely necessary for successfully mitigating many security threats.
- 12. Are the DNS system clocks accurate? Have you considered setting the timezone to UTC?
- Having an accurate notion of time is critical not only for many protocols to operate properly, but also to ensure you are able to correctly troubleshoot problems and security events across multiple systems and time zones.
- 13. Have you recently read RFC 2870?
- You may not think it applies to you, but it gives some good general advice that is at least in part relevant to most DNS operators.
Now, go forth, do good work and don't panic!