1. Use DNS forwarders
A DNS forwarder is a DNS server that performs DNS queries on behalf of another DNS server. The primary reasons to use a DNS forwarder are to offload processing duties from the DNS server forwarding the query to the forwarder and to benefit from the potentially larger DNS cache on the DNS forwarder.
Another benefit of using a DNS forwarder is that it prevents the DNS server forwarding the requests from interacting with Internet DNS servers. This is especially important when your DNS server is hosting your internal domain DNS resource records. Instead of allowing your internal DNS servers to perform recursion and contacting DNS servers itself, configure the internal DNS server to use a forwarder for all domains for which it is not authoritative.
2. Use caching-only DNS servers
A caching-only DNS server is one that is not authoritative for any DNS domains. It’s configured to perform recursion or use a forwarder. When the caching-only DNS server receives a response, it caches the result and returns the answer to the system issuing the DNS query to the caching-only DNS server. Over time, the caching-only DNS server can amass a large cache of DNS responses, which can significantly improve DNS response times for DNS clients of that caching-only DNS server.
Caching-only DNS servers can improve security for your organization when used as forwarders that are under your administrative control. Internal DNS servers can be configured to use the caching-only DNS server as their forwarders and the caching-only DNS server performs recursion on behalf of your internal DNS servers. Using your own caching-only DNS servers as forwarders improves security because you don’t have to depend on your ISP’s DNS servers as forwarders when you’re unsure of the security configuration of your ISP’s DNS servers.
3. Use DNS advertisers
A DNS advertiser is a DNS server that resolves queries for domains for which the DNS advertiser is authoritative. For example, if you host publicly available resources for domain.com and corp.com, your public DNS server would be configured with DNS zone files for the domain.com and corp.com domains.
What sets the DNS advertiser apart from any other DNS server hosting DNS zone files is that the DNS advertiser answers queries only for domains for which it is authoritative. The DNS server will not perform recursion for queries to other DNS servers. This prevents users from using your public DNS server to resolve names in other domains. This increases security by lessening the risks associated with running a public DNS resolver, which include cache poisoning.
4. Use DNS resolvers
A DNS resolver is a DNS server that can perform recursion to resolve names for domains for which that DNS server is not authoritative. For example, you might have a DNS server on your internal network that’s authoritative for your internal network domain, internalcorp.com. When a client on your network uses that DNS server to resolve the name techrepublic.com, that DNS server performs recursion by querying other DNS servers to get the answer.
The difference between this DNS server and a DNS resolver is that a DNS resolver is a DNS server that is dedicated to resolving Internet host names. A resolver could be a caching-only DNS server that isn’t authoritative for any DNS domains. You can make the DNS resolver available to only your internal users, you can make it available only to your external users to provide a secure alternative to using a DNS server outside of your administrative control, or you can allow both internal and external users access to the DNS resolver.
5. Protect DNS from cache pollution
DNS cache pollution is an increasingly common problem. Most DNS servers are able to cache the results of DNS queries before forwarding the response to the host issuing the query. The DNS cache can significantly improve DNS query performance throughout your organization. The problem is that if the DNS server cache is “polluted” with bogus DNS entries, users can subsequently be forwarded to malicious Web sites instead of the sites they intended to visit.
Most DNS servers can be configured to prevent cache pollution. The Windows Server 2003 DNS server is configured to prevent cache pollution by default. If you’re using a Windows 2000 DNS server, you can configure it to prevent cache pollution by opening the Properties dialog box for the DNS server and clicking the Advanced tab. Select the Prevent Cache Pollution check box and restart the DNS server.
6. Enable DDNS for secure connections only
Many DNS servers accept dynamic updates. The dynamic update feature enables these DNS servers to register DNS host names and IP addresses for hosts that use DHCP for host IP addressing. DDNS can be a great boon in reducing the administrative overhead for DNS administrators who otherwise would need to manually configure DNS resource records for these hosts.
However, there can be a major security issue with DDNS updates if they are allowed unchecked. A malicious user can configure a host to dynamically update DNS host records of a file server, Web server, or database server and have connections that should be destined to those servers diverted to his machine instead of the intended target.
You can reduce the risk of malicious DNS updates by requiring secure connections to the DNS server in order to perform the dynamic update. This is easily achieved by configuring your DNS server to use Active Directory integrated zones and requiring secure dynamic updates. All domain members will be able to dynamically update their DNS information in a secure context after you make this change.
7. Disable zone transfers
Zone transfers take place between primary and secondary DNS servers. Primary DNS servers that are authoritative for specific domains contain writable DNS zone files that are updated as needed. Secondary DNS servers received a read-only copy of these zone files from primary DNS servers. Secondary DNS servers are used to improved DNS query performance throughout an organization or over the Internet.
However, zone transfers are not limited to only secondary DNS servers. Anyone can issue a DNS query that will cause a DNS server configured to allow zone transfers to dump the entirety of its zone database files. Malicious users can use this information to reconnoiter the naming schema in your organization and attack key infrastructure services. You can prevent this by configuring your DNS servers to deny zone transfer requests or by configuring the DNS servers to allow zone transfers only to specific servers in the organization.
8. Use firewalls to control DNS access
Firewalls can be used to gain access control over who can connect to your DNS servers. For DNS servers that are used only for internal client queries, configure firewalls to block connections from external hosts to those DNS servers. For DNS servers used as caching-only forwarders, configure firewalls to allow DNS queries only from those DNS servers that use the caching-only forwarders. An especially important firewall policy setting is to block internal users from using the DNS protocol to connect to external DNS servers.
9. Set access controls on DNS registry entries
On Windows-based DNS servers, you should configure access controls on the DNS server-related Registry settings so that only the accounts that require access to them are allowed to read or change those Registry settings.
The HKLMCurrentControlSetServicesDNS key should be configured to allow only the Administrator and System account access, and these accounts should have Full Control permissions.
10. Set access control on DNS file system entries
On Windows-based DNS servers, you should configure access controls on the DNS server-related file system entries so that only the accounts that require access to them are allowed to read or change those files.
The %system_directory%DNS folder and subfolders should be configured to allow only the system account to access the files, and the system account should be given Full Control permissions.