DNS software is the target of hackers ' passion for attack, and it can bring security problems. Here are some of the most effective ways to protect your DNS servers.
1. Using DNS Forwarders
A DNS forwarder is a DNS server that completes DNS queries for other DNS servers. The primary purpose of using DNS forwarders is to mitigate the pressure of DNS processing, to transfer query requests from DNS servers to forwarders and to benefit from DNS forwarders potentially larger DNS caches.
Another benefit of using DNS forwarders is that it prevents DNS servers from forwarding query requests from Internet DNS servers. This is important if your DNS server keeps a record of your internal domain DNS resources. Instead of having the internal DNS server do a recursive query and contact the DNS server directly, it lets it use forwarders to handle unauthorized requests.
2. Use a caching-only DNS server
Caching only the DNS servers is for authorized domain names. It is used as a recursive query or as a forwarder. When only the DNS server receives a feedback, it saves the results in the cache and sends the results to the system that presents the DNS query request to it. Over time, caching only DNS servers can collect a large amount of DNS feedback, which can greatly shorten the time it provides DNS response.
Use only the buffering DNS server as a forwarder, under your management control, can improve the organization security. The internal DNS server can only buffer the DNS server as its own forwarders, only the DNS server to replace your internal DNS server to complete the recursive query. Using your own caching-only DNS server as a forwarder can improve security because you don't need to rely on your ISP's DNS server as a forwarder, especially if you can't verify the security of your ISP's DNS servers.
3. Using DNS advertisers (DNS advertisers)
The DNS advertiser is a DNS server that is responsible for resolving queries in the domain. For example, if your host is a publicly available resource for domain.com and corp.com, your public DNS server should configure the DNS zone files for domain.com and corp.com.
DNS advertiser settings other than other DNS servers hosted by the DNS zone file are queries for DNS advertisers to answer only their authorized domain names. This DNS server does not perform recursive queries against other DNS servers. This makes it impossible for users to use your public DNS server to resolve other domain names. Increased security by reducing the risk associated with running a public DNS resolver, including cache poisoning.
4. Use DNS Resolver
A DNS resolver is a DNS server that can complete a recursive query, which resolves to an authoritative domain name. For example, you might have a DNS server on your internal network that authorizes an internal network domain name internalcorp.com DNS server. When a client on the network uses this DNS server to resolve techrepublic.com, the DNS server performs recursion by querying to other DNS servers to get answers.
The difference between a DNS server and a DNS resolver is that the DNS resolver is only for resolving the Internet host name. A DNS resolver can be a caching-only DNS server that does not authorize DNS domain names. You can make the DNS parser only for internal users, you can also make it only for external users, so you do not have to control the outside to set up a DNS server, thereby improving security. Of course, you can also allow DNS parsers to be used by both internal and external users.
5. Protect DNS from cache contamination
DNS cache contamination has become an increasingly common problem. Most DNS servers are able to store DNS query results in the cache before replying to the requesting host. DNS caching can greatly improve DNS query performance within your organization. The problem is that if your DNS server's cache is "contaminated" with a lot of fake DNS information, users may be sent to a malicious site instead of the site they originally wanted to visit.
Most DNS servers are configured to block cache contamination. The default configuration state of the Windows Server 2003 DNS server can prevent cache contamination. If you are using a Windows DNS server, you can configure it, open the Properties dialog box for the DNS server, and click the Advanced table. Select the Prevent cache contamination option, and then restart the DNS server.