Domestic domain name over half of unsafe service system precautions recommendations Select

Intermediary transaction SEO diagnosis Taobao guest Cloud host technology Hall

Recently, the Domain name registration Authority CNNIC issued the first "China Domain Name Service and security status Report", "Report" shows that the current total number of domain name servers in China, of which more than 50% of the domain name servers are alleged to be relatively insecure. For domestic, 57% of information systems have the risk of domain name resolution. Below, IDC comments the network and everybody pays close attention to the domain Name Service security present situation and the prevention suggestion.

Fig. 1 The distribution chart of the security sampling results of the key authoritative domain names in China

The report sampled the domain names from various industries, mainly from government agencies, financial institutions, educational institutions, network operators and so on. As can be seen from Figure 1, the risk ratio is 45%, the risk is higher 11%, the very dangerous 1%, which can be counted in the risk state accounted for 57%, more than half. Only 11% were considered safe. The report also shows that educational institutions have the least security of Domain Name Service systems, at a risk of up to 80%.

For our country domain name server over half unsafe situation, we have sorted out some security precaution suggestion:

Recommendation I: The information in a higher or outdated any part of the vulnerability can be exploited by hackers, data tampering. Therefore, if you want to improve security, make sure that the domain name resolution service is independent. The server that is running the Domain Name service cannot open other ports at the same time.

Recommendation two: Domain name resolution Service system used by the software is very important, such as improper configuration or upgrade delay are easy to create vulnerabilities by hackers easily exploited. Therefore, the need to adopt a secure operating system platform and domain name resolution software, and always pay attention to the latest security vulnerabilities released by software vendors, timely upgrade software systems.

Recommendation three: Hackers usually use domain name hijacking to control the DNS server, so that users access to the domain name, access to the content. The domestic CN domain name is hijacked, can easily take back control, and international domain name to retake domain name is more complex. Therefore, the user chooses the high security, the service convenient domain name service organization and the Registration Management organization, and hides the domain name resolution software and the operating system and so on version information, finally also restricts the domain name area file the transfer permission.

Recommendation IV: The use of intrusion detection system, as far as possible to detect man-in-the-middle attack, although its detection and defense are very difficult. In addition to the Domain name server boundary network equipment traffic, packet monitoring. Finally, we can monitor whether the domain name protocol is normal and determine whether the data has changed. When conditions permit, multiple detection points can be deployed within different networks for distributed monitoring.

Recommendation five: To prevent distributed denial of service attacks, it is recommended that the number of servers providing domain name services is not less than 2, and deployed in different physical network environments. In addition, to limit the service scope of recursive services, and use the Traffic Analysis tool to detect DDoS attacks in time to take emergency measures.

Recommendation six: The Domain Name Service deployment needs to consider a single node failure problem, the routers involved, switches and so on need redundant backup capabilities, the establishment of a sound data backup mechanism and log management system. To keep the full resolution log of the latest 3 months. It is suggested that the important domain name information system should be ensured by 7x24 maintenance mechanism. The emergency response time cannot be delayed to 30 minutes.

Conclusion: The domain name security issues are endless, according to the news, 2009 storm video by domain name attacks caused large area of broken nets, loss of 2.38 million yuan; this year, Baidu was hijacked by domain name, estimated loss of tens of millions. The problem of domain name security has become more and more noticeable.

Article Author: China IDC comment Net http://www.idcps.com, if need reprint, please indicate the source, welcome everybody to communicate together, thank you!