DNS software is a target that hackers are keen on and may cause security problems. Here are some of the most effective methods to protect DNS servers. (Related articles: protecting the security of Win2003 network servers)
1. Use a DNS Forwarder
A dns forwarder is a DNS server that completes DNS query for other DNS servers. The main purpose of using a DNS forwarder is to reduce the pressure on DNS processing, forward query requests from the DNS server to the forwarder, and benefit from the DNS Forwarder's potential for greater DNS cache.
Another advantage of using a DNS forwarder is that it prevents the DNS server from forwarding query requests from the Internet DNS server. This is important if your DNS server saves your internal domain DNS resource records. Instead of allowing the internal DNS server to perform recursive queries and directly contact the DNS server, the server uses a forwarder to process unauthorized requests.
2. Use a buffer-only DNS Server
Only the cached DNS server is for the authorized domain name. It is used for recursive query or repeater. When the DNS server only receives a feedback, it stores the result in the cache and sends the result to the system that sends a DNS query request to it. Over time, caching only the DNS server can collect a large amount of DNS feedback, which can greatly shorten the time it provides DNS response.
Using a buffer-only DNS server as a forwarder can improve organizational security under your management control. The internal DNS server can use the buffer DNS server as its own forwarder, and only buffer the DNS server to complete recursive queries instead of your internal DNS server. Using your own buffer DNS server as a forwarder can improve security, because you do not need to rely on your isp dns server as a forwarder, this is especially true if you cannot confirm the security of your ISP's DNS server.
3. DNS advertisers)
The DNS advertiser is a DNS server responsible for DNS domain query. For example, if your host has public resources for domain.com and corp.com, your public DNS server should configure the DNS zone file for domain.com and corp.com.
DNS advertiser settings, except for DNS hosts in the DNS zone, are DNS advertiser that only responds to queries for its authorized domain names. Such DNS servers do not perform recursive queries on other DNS servers. This prevents users from using your public DNS server to resolve other domain names. Increased security by reducing risks related to running a public DNS parser, including cache poisoning.
4. DNS Resolvers
A dns parser is a DNS server that can perform recursive queries. It can be resolved to an authorized domain name. For example, you may have a DNS server on the internal network and authorize the DNS server of the internal network domain name internalcorp.com. When a client on the network uses this DNS server to resolve techrepublic.com, this DNS server performs recursion by querying other DNS servers to obtain the answer.
The difference between a DNS server and a DNS server is that the DNS server only resolves the Internet host name. The DNS parser can be an unauthorized DNS domain name that only caches the DNS server. You can enable DNS resolution to be used only for internal users. You can also enable DNS resolution to only serve external users, so that you do not need to set up a DNS server outside of the control, this improves security. Of course, you can also enable DNS Resolvers to be used by both internal and external users.
5. Protect DNS from cache pollution
DNS Cache pollution has become a common problem. Most DNS servers can store DNS query results in the cache before they reply to the requesting host. DNS high-speed cache can greatly improve the DNS query performance within your organization. The problem is that if your DNS server's high-speed cache is "contaminated" by a large amount of fake DNS information, users may be sent to malicious sites rather than the websites they originally wanted to visit.
Most DNS servers can prevent cache pollution through configuration. The default configuration status of Windows Server 2003 DNS Server can prevent cache pollution. If you are using a Windows 2000 DNS server, you can configure it, open the DNS server's Properties dialog box, and then click "advanced" table. Select the "Prevent cache pollution" option and restart the DNS server.
6. Make ddns use only secure connections
Many DNS servers accept dynamic updates. The Dynamic Update feature enables these DNS servers to record the host names and IP addresses of hosts using DHCP. DDNS can greatly reduce the management cost of the DNS administrator. Otherwise, the Administrator must manually configure the DNS resource records of these hosts.
However, undetected DDNS updates may cause serious security issues. A malicious user can configure the host to be a DNS host record dynamically updated by a file server, Web server, or database server. If someone wants to connect to these servers, they will be transferred to other machines.
You can reduce the risk of malicious DNS upgrades by requiring a secure connection to the DNS server for dynamic upgrades. This is easy to achieve. You only need to configure your DNS server to use the Active Directory Integrated Zones and require a security dynamic upgrade. In this way, all domain members can update their DNS information securely and dynamically.
7. Disable Regional Transmission
Regional Transmission occurs between the primary DNS server and the secondary DNS server. The primary DNS server authorizes a specific domain name and carries a DNS region file that can be rewritten. You can update the file as needed. The primary DNS server receives read-only copies of files from these regions. The slave DNS server is used to improve the query response performance from internal or Internet DNS.
However, regional transmission is not just for slave DNS servers. Any person who can send a DNS query request may change the configuration of the DNS server, allowing the region to be transferred and dumping their own regional database files. Malicious users can use this information to detect internal naming plans in your organization and attack key service architectures. You can configure your DNS server to disable Regional Transmission requests, or allow only regional transmission for specific servers in the organization for security protection.
8. Use a firewall to control DNS access
The firewall can be used to control who can connect to your DNS server. For DNS servers that only respond to internal user query requests, configure a firewall to prevent external hosts from connecting to these DNS servers. For a DNS server that uses only the cache forwarder, you should configure the firewall to only allow query requests sent by DNS servers that use only the cache forwarder. An important aspect of firewall policy setting is to prevent internal users from using the DNS protocol to connect to external DNS servers.
9. Create access control in the DNS Registry
In a Windows-based DNS server, you should set access control in the Registry related to the DNS server so that only accounts that need access can read or modify these registry settings.
The HKLMCurrentControlSetServicesDNS key should only allow access by administrators and system accounts, and these accounts should have full control permissions.
10. Set access control at the DNS File System Portal
In a Windows-based DNS server, you should set access control at the file system portal related to the DNS server so that only accounts that need access can read or modify these files.
% System_directory % the DNS folder and subfolders should only allow access by the system account, and the system account should have full control permissions.