Seven major issues for DNS server security deployment

DNS (domain Name System) is a long history method for assigning a domain name to a computer with an IP address so that the computer has a character name. If the IP address is 207.46.193.254 computer that is Microsoft server www.microsoft.com. DNS is well designed and works most of the time. However, there are always some unsatisfactory circumstances, it will strike, so that administrators have a headache. So how do you look for clues to their failure? What are some of the things that are not satisfactory in your DNS system?

Are there some regular things that can be followed? The answer is yes, we give the DNS server seven counts for your reference:

1. Use old version of BIND.

As an open source DNS server software, BIND is currently the most widely used DNS server software in the world. Almost all of the old versions of BIND have serious, well-known vulnerabilities. Attackers can exploit these vulnerabilities to destroy our DNS domain name servers and allow them to invade the hosts that run them. Be sure to use the latest bind and fix it in time.

2. Place all important domain name servers into the same subnet.

In this case, a failure of a device, such as a switch or router, or a failure of a network connection will make it impossible for users on the Internet to access your site or send you e-mail.

3. Allow recursion of unauthorized queries.

If you set this to the following scenario:

（recursion yes　no;　[yes]
allow-recursion { address_match_list };　[all hosts]

is not safe. Here, the recursion option specifies whether named queries other domain name servers instead of the client. The domain name server is typically not set to turn off recursion. At the very least, we should allow recursion for our clients, but no recursion for foreign queries. Because recursive queries can be processed for any client, the domain name server is exposed to cache poisoning (cached poisoning) and denial of service attacks.

4. Allow for zone transfers of unauthorized secondary domain name servers.

Zone transfer (Zone Transfer) refers to the process of replicating a zone database file between multiple DNS servers. If a zone transfer service is provided for any query, the domain name server is exposed to the attacker, causing the server to become paralyzed.

5. No DNS transponders were used.

A DNS forwarder is a server that performs DNS queries on behalf of other DNS services. Many domain name server software, including Microsoft's DNS servers and some older bind domain names servers, do not adequately protect themselves against cache poisoning, and other DNS server software also has vulnerabilities that can be exploited by malicious response. But many administrators allow these domain servers to directly query other domain name servers on the Internet, not using forwarders at all.

6. Incorrectly set the authorization start (start of Authority:soa) value.

The beginning of the SOA markup area data, defining the parameters that affect the entire zone. Many administrators set the value of a zone too low, which can cause disruption to the system when a refresh query or zone transfer begins to fail. Since the RFC redefined SOA, others have reset the reverse cache (negative caching) TTL, resulting in too high a value.

7. NS records that do not match the authorization with the zone data.

Some administrators have added or removed the primary domain name servers, but have forgotten to make corresponding changes to their area's delegated authorization data (known as delegation). This will prolong the resolution of the domain name time and reduce elasticity.

Of course, these are just some general bugs that administrators may make, but they can be used as a basic reference for configuring your DNS server.