DNS Security

The security of DNS has become increasingly important over the years. The information contained within the Domain Name System is extremely sensitive yet is often wide open for attack. BIND, which has been around since the inception of the Internet back in the 80’s, is still the most widely used code for DNS. BIND is an open-sourced code leaving the code easily visible to the human eye. There are many alterations of BIND out there as well as other open and closed sourced codes to resolve DNS. If your name servers are running on BIND, its extremely important that you stay up to date on all patches and upgrades to make sure you’re securing any new holes that are out there. If you don’t like worrying about patching your software then you might want to look into a third party DNS provider. Typically these companies will take care of everything for you so you don’t have to worry about patches and upgrades. A few of them even have their own proprietary resolver code to resolve DNS traffic. These codes are not susceptible to some of the recent security threats that have been in the news like cache poisoning and the conficker worm. Whichever way you decide to go with your DNS, make sure you stay on top of it frequently.

 

Securing Your DNS

 

1. Use any available security protocols for BIND.

DNSSEC – The IETF has been working on increasing the security of DNS with regard to DNS Security Extensions, but this has not seen wide adoption yet. However, you should keep up with what’s going on and participate in it.

TSIG – This is a feature of DNSSEC that is currently available and worthwhile to implement.

2. Do not enable recursion on your external facing name servers

Recursion is useful within your own firewalls for employee use only, but should not be open to the public.
Recursion enables cached information to be stored and could thus be poisoned. This could be detrimental to your
organization. Certain name servers on Windows systems cannot differentiate between an internal and external query, meaning it can’t tell if recursion is on or off. Therefore, you should not use this system as both an internal and external server.

3. Limit your name servers from only receiving traffic from trusted sources. For example, if there is no reason
to accept the transfer of zones or request for zones, then only allow this through the Master server list within your
network. If you currently don’t have this capability, then use firewalls and/or router access lists to limit the machines that can send traffic your way.

Just because a host may or may not be listed in an internally or externally facing DNS domain, it has nothing
do with with it security. A determined individual with proper due diligence can find the host, so use host and network security to defend this.

4.  DNS based DDOS attacks are becoming more and more prevalent today.  It used to be that about 95% of attacks were TCP related, but now it’s probably more like 85%.  There are a few reasons for this…

First of all, web companies are getting smarter about protecting themselves and hackers have noticed this.  The more attacks that happen on the internet, the more fear is instilled into companies, which creates a demand for protection.  Hackers now have to think of alternative ways to take these sites down.  Where do they look?  The DNS servers.  DNS servers are one of the most neglected parts of the network stack and very easy to take down.

Check to see whether your prepared to handle DNS based DDOS attacks.  You probably are not if you’re running it yourself, but maybe you are.   Otherwise, talk to some DNS providers and ask them a few things.  Have them tell you what’s under the hood.  If they refuse to tell you, that’s probably a bad sign.  You should have a good understanding of how many nodes they have, where those nodes are located, what type of hardware is involved in each node, the bandwidth and throughput they have in place, as well as the resolver code and routing capabilities that are built in.

© Copyright 2008 by DNS Reviews