How to Secure DNS Servers and Prevent Security Issues
Hackers often tend to target DNS software, aiming to cause security breaches. Let’s discuss how to secure DNS servers using some very effective methods. Here we go…
Using a DNS forwarder helps
Using a DNS forwarder is of great help when it comes to securing DNS servers. A DNS forwarder is nothing but a DNS server that can be used to perform queries on behalf of another DNS server, thereby helping offload processing duties from the public DNS server. A DNS forwarder also helps prevent the public DNS server from interacting with Internet DNS servers, thereby protecting the resource records of the internal domain. So, it’s good to configure the internal DNS server to use a DNS forwarder for all the domains for which it’s not authoritative than letting your DNS server do the recursion and contacting DNS servers.
How to secure DNS servers with DNS resolvers and DNS advertisers
DNS resolvers and DNS advertisers help greatly when it comes to securing DNS servers. A DNS resolver is a DNS server that performs recursion to resolve names for domains for which the public DNS server is not authoritative while a DNS advertiser is a DNS server that resolves queries for domains for which the DNS server is not authoritative. The DNS resolver can be made available to your internal users or only to external users (thereby providing them a secure alternative- a DNS server outside your administrative control), or, if needed, to both internal and external users together. The DNS advertiser enhances security by preventing users from using your public DNS server to resolve names in other domains.
Caching-only DNS servers help increase security
Using a caching-only DNS server (which is not authoritative for any DNS domains) helps increase DNS security. Upon receiving a response, a caching-only DNS server caches the result and returns the answer to the system that issues the DNS query. Thus, the caching-only DNS server can, over time, amass a large cache of responses, thereby improving DNS response times for DNS clients of that server. Similarly, caching-only DNS servers can be used as forwarders too, thereby using them for performing recursion on behalf of the internal DNS servers. Thus, dependence on the ISP’s DNS servers can be avoided, thereby enhancing overall security.
Configure DNS servers to prevent cache pollution
Configuring DNS servers to prevent cache pollution is good. Thus, the DNS server cache wouldn’t be polluted with bogus entries and users would be protected from being forwarded to malicious websites. For Windows 2003, the DNS server is configured to prevent cache pollution by default. For Windows 2000 DNS server, it can be configured by opening the Properties dialog box for the DNS server, clicking the Advanced tab, then selecting the Prevent Cache Pollution checkbox and then finally restarting the DNS server.
Go for DDNS for secure connections only
DDNS is indeed of great help for DNS administrators, but DDNS updates, if allowed unchecked, could pose security risks as a hacker can configure a host to dynamically update DNS host records of a file server, web server or database server and get connections diverted. Hence, it’s always good to enable DDNS only for secure connections. Thus, it’s important to perform dynamic updates over secure connections only; this can be done by configuring the DNS server to use Active Directory-integrated zones and requiring secure dynamic updates.
Configure DNS servers to disable zone transfers
Disabling zone transfers helps greatly in enhancing DNS security. If zone transfers are enabled, it becomes possible for anyone to issue a DNS query that would cause a DNS server configured to allow zone transfers to dump all of its zone database files, the information from which can very easily be misused by a hacker. Such information can be used to spy on the naming schema in an organization and also to attack key infrastructure services. So, it’s good to configure the DNS servers to deny zone transfer requests or to allow them only to specific servers in a network.
Control DNS access using firewalls
Controlling DNS access using firewalls is important. Configure firewalls to block connections from external hosts to DNS servers that are used only for internal client queries. Similarly, there needs to be a firewall policy setting that blocks internal users from using the DNS protocol to connect to external DNS servers. Firewalls can also be configured to regulate queries from DNS servers that are used as caching-only forwarders.
Setting access controls on DNS file systems entries and registry entries
Setting access controls on DNS server-related file system entries and also on registry entries would help secure DNS servers. Such access controls ensure that only accounts that require access to these (file system entries or registry entries) can read or change them.