10 things you need to know about DNS Security

Ten things you shoshould know about securing DNS 10 things you need to know about DNS Security By dr. Thomas shinder MCSE Author: Dr. Thomas shinder, Microsoft Certified System Engineer Translation: First draft of endurer 2005.09.14 Keywords:Security | TCP/IP | Network Security Keywords: Security | TCP/IP | Network Security

Takeaway: DNS software is a favorite target of hackers, which can lead to security problems. Here are some of the most valid ways to lock down DNS servers. Preface: DNS software is Hacker's favorite goal and can cause security problems. Here are some of the most effective ways to lock the DNS server. Endurer Note: lead to v. lead to

1. Use DNS forwarders1. use DNS Forwarder A dns forwarder is a DNS server that performs DNS queries on behalf of another DNS server. the primary reasons to use a DNS forwarder are to offload processing duties from the DNS server forwarding the query to the forwarder and to benefit from the potentially larger DNS cache on the DNS forwarder. A dns forwarder is a DNS server that performs DNS queries on behalf of other DNS services. The main reason is that the DNS forwarder removes the processing task from the DNS server forwarding query to the forwarder, benefiting from the DNS Forwarder's potential for greater DNS cache. Endurer Note: On behalf of adv. stands for... Another benefit of using a DNS forwarder is that it prevents the DNS server forwarding the requests from interacting with Internet DNS servers. this is especially important when your DNS server is hosting your internal domain DNS resource records. instead of allowing your internal DNS servers to perform recursion and contacting DNS servers itself, configure the internal DNS server to use a forwarder for all domains for which it is not authoritative. Another benefit is that the DNS forwarder prevents the DNS server from forwarding queries from a DNS server associated with the Internet. This is especially important when your DNS server is the host of the internal domain DNS resource record. Instead of allowing your internal DNS Service to perform recursion and access to the DNS server, configure the internal DNS server to use the forwarder for all unauthorized domain names. Endurer note: 1. Interact with and... 2. Hosting n. A collection of masses or troops for combat 3. Instead of adv. Instead of... 2. Use caching-only DNS servers2. use to cache DNS servers only A Caching-only DNS server is one that is not authoritative for any DNS domains. it's configured to perform recursion or use a forwarder. when the caching-only DNS server has es a response, it caches the result and returns the answer to the system issuing the DNS query to the caching-only DNS server. over time, the caching-only DNS server can amass a large cache of DNS responses, which can significantly improve DNS response times for DNS clients of that caching-only DNS server. The cache-only DNS server is for unauthorized domain names. It is configured to execute recursion or use a forwarder. When only the DNS server receives the request, it caches the result and returns the answer to the system that sends a DNS query to the DNS server. Over time, only the cache DNS server can accumulate a large number of DNS response caches, which will significantly increase the DNS response time of clients that only cache DNS servers. Endurer Note: over time Caching-only DNS servers can improve security for your organization when used as forwarders that are under your administrative control. internal DNS servers can be configured to use the caching-only DNS server as their forwarders and the caching-only DNS server performs recursion on behalf of your internal DNS servers. using your own caching-only DNS servers as forwarders improves security because you don't have to depend on your ISP's DNS servers as forwarders when you're unsure of the security configuration of your ISP's DNS servers. When only the cache DNS server is used as a forwarder under your management control, it can improve security for your organization. The internal DNS server can be configured to use the cache-only DNS server as their forwarder and execute recursion as the representative of the internal DNS server. Using your own cache-only DNS server as a forwarder improves security because you are not sure about the security configuration of your ISP (Internet service provider, the same below) DNS server, you do not have to rely on your ISP's DNS server as a forwarder. Endurer note: 1. Use as vt. Used 2. Be sure of confidence 3. ISP = Internet Services Provider [computer] Internet Service Provider 3. Use DNS advertisers3. use DNS advertisers A dns advertiser is a DNS server that resolves queries for domains for which the DNS advertiser is authoritative. For example, if you host publicly available resourcesDomain.comAndCorp.com, Your public DNS server wocould be configured with DNS zone files forDomain.comAndCorp.comDomains. The DNS advertiser is a DNS server that resolves its authorized domain name query. For example, if you host public resources of domain.com and corp.com, your public DNS server will configure the domain.com and corp.com domain name files. What sets the DNS advertiser apart from any other DNS server hosting DNS zone files is that the DNS advertiser answers queries only for domains for which it is authoritative. the DNS server will not perform recursion for queries to other DNS servers. this prevents users from using your public DNS server to resolve names in other domains. this increases security by lessening the risks associated with running a public DNS resolver, which include cache appsoning. DNS advertiser settings, except for DNS hosts in the DNS zone, are DNS advertiser that only responds to queries for its authorized domain names. The DNS server does not perform recursive queries to other DNS servers. This prevents users from using your public DNS server to resolve other domain names. Increased security by reducing risks related to running a public DNS parser, including cache poisoning. 4. Use DNS resolvers4. use DNS Resolvers A dns resolver is a DNS server that can perform recursion to resolve names for domains for which that DNS server is not authoritative. for example, you might have a DNS server on your internal network that's authoritative for your internal network domain,Internalcorp.com. When a client on your network uses that DNS server to resolve the nameTechrepublic.com, That DNS server performs recursion by querying other DNS servers to get the answer. A dns parser is a DNS server that can perform recursion to resolve its unauthorized domain names. For example, you may have a DNS server in the internal network that authorizes the internal network domain name internalcorp.com. When a client on the network uses this DNS server to resolve techrepublic.com, this DNS server performs recursion by querying other DNS servers to obtain the answer. The difference between this DNS server and a DNS resolver is that a DNS resolver is a DNS server that is dedicated to resolving Internet host names. A resolver cocould be a caching-only DNS server that isn't authoritative for any DNS domains. you can make the DNS resolver available to only your internal users, you can make it available only to your external users to provide a secure alternative to using a DNS server outside of your administrative control, or you can allow both internal and external users access to the DNS resolver. The difference between this DNS server and DNS resolution provider is that DNS resolution focuses on resolving Internet host names. A DNS server may be a cache-only DNS server that does not authorize the DNS domain name. You can enable DNS resolution to be available only to internal users. You can enable it to provide only external users with an alternative to security that allows you to manage and control external DNS servers, alternatively, you can allow both internal and external users to access the DNS provider. 5. Protect DNS from cache pollution5. protect DNS from cache pollution DNS Cache pollution is an increasingly common problem. most DNS servers are able to cache the results of DNS queries before forwarding the response to the host issuing the query. the DNS cache can significantly improve DNS query performance throughout your organization. the problem is that if the DNS server cache is "polluted" with bogus DNS entries, users can subsequently be forwarded to malicous web sites instead of the sites they intended to visit. DNS Cache pollution is an increasing common problem. Most DNS servers can cache DNS query results before forwarding a response to a host that initiates a query. The DNS Cache significantly enhances the DNS query performance across your organization. The problem is that if the DNS server cache is "contaminated" by the fake DNS entry, users can then be forwarded to the alternative malicious site instead of the site they are visiting. Most DNS servers can be configured to prevent cache pollution. the Windows Server 2003 DNS server is configured to prevent cache pollution by default. if you're using a Windows 2000 DNS server, you can configure it to prevent cache pollution by opening the Properties dialog box for the DNS server and clicking the Advanced tab. select the prevent cache pollution check box and restart the DNS server. Most DNS servers can be configured to prevent cache contamination. Windows Server 2003 DNS server is configured by default to prevent cache pollution. If you are using a Windows 2000 DNS server, you can open the DNS server Properties dialog box and click the Advanced tab to select the "Prevent cache pollution" check box, restart the DNS server to configure it to prevent cache pollution. 6. Enable ddns for secure connections only6. enable ddns (Dynamic DNS) to only use secure connections. Invalid DNS servers accept dynamic updates. the Dynamic Update feature enables these DNS servers to register DNS host names and IP addresses for hosts that use DHCP for Host IP addressing. ddns can be a great boon in memory cing the administrative overhead for DNS administrators who otherwise wowould need to manually configure DNS resource records for these hosts. Some DNS servers accept dynamic updates. The Dynamic Update feature enables these DNS servers to record the host names and IP addresses of hosts using DHCP. Ddns is affordable to reduce the administrative fees of DNS administrators who need to manually configure DNS resource records for hosts. Endurer note: 1. DHCP abbr. = Dynamic Host Configuration Protocol, Dynamic Host Configuration Protocol 2. Overhead adj. On the head, elevated N. General enterprise management fees, ceiling adv. On the head, on the air, on the height However, there can be a major security issue with ddns updates if they are allowed unchecked. A malicious user can configure a host to dynamically update DNS host records of a file server, web server, or database server and have connections that shoshould be destined to those servers diverted to his machine instead of the intended target. However, there may be a major security issue regarding whether to allow undetected ddns updates. A malicious user can configure a host as a file server, web server, or dynamically updated DNS host record of the database server, there are connections destined for these servers directed to their machines rather than the expected target. You can reduce the risk of malicious DNS updates by requiring secure connections to the DNS server in order to perform the dynamic update. this is easily achieved by calling your DNS server to use Active Directory integrated zones and requiring secure dynamic updates. all domain members will be able to dynamically update their DNS information in a secure context after you make this change. You can perform dynamic updates by requiring secure connection to the DNS service to reduce the risk of malicious DNS updates. By configuring your DNS server to use the Active Directory's integrated region (Active Directory Integrated zones) and require secure dynamic updates. After you make this change, all domain members can only dynamically update their DNS information based on security context. 7. Disable zone transfers7. disable region file updates. Zone transfers take place between primary and secondary DNS servers. primary DNS servers that are authoritative for specific domains contain writable DNS zone files that are updated as needed. secondary DNS servers received ed a read-only copy of these zone files from primary DNS servers. secondary DNS servers are used to improved DNS query performance throughout an organization or over the Internet. Region file updates occur between the primary and secondary DNS servers. The main DNS server authorizes a specific domain name, including files in the writable DNS region that need to be updated. The second DNS server receives read-only copies of files in these regions from the primary DNS server. The second DNS server is used to enhance the DNS query performance of the entire Organization or Internet. Endurer Note: take place v. Occurrence However, Zone transfers are not limited to only secondary DNS servers. anyone can issue a DNS query that will cause a DNS server configured to allow zone transfers to dump the entirety of its zone database files. malicious users can use this information to reconnoiter the naming schema in your organization and attack key infrastructure services. you can prevent this by updating your DNS servers to deny zone transfer requests or by locking the DNS servers to allow zone transfers only to specific servers in the Organization. However, Region file updates are not limited to second DNS servers. Anyone can publish a DNS query, which will cause the DNS service configured to allow region file updates to unload the database files in the region. Malicious users can use this information to detect the name program of your organization and attack critical infrastructure services. You can configure the DNS server to reject the region file update request, or configure the DNS server to only allow the region file Update Server to prevent specific servers within the Organization. 8. Use firewallto control DNS access8. use a firewall to control DNS access Firewils can be used to gain access control over who can connect to your DNS servers. for DNS servers that are used only for internal client queries, configure firewallto block connections from external hosts to those DNS servers. for DNS servers used as caching-only forwarders, configure firewallto allow DNS queries only from those DNS servers that use the caching-only forwarders. an especially important firewall policy setting is to block internal users from using the DNS protocol to connect to external DNS servers. A firewall can be used to obtain access control from those who can connect to your DNS server. To use the DNS server only for internal client queries, configure the firewall to block connections from external hosts to this DNS server. To Cache only the DNS server of the forwarder, configure the firewall to only allow the DNS query of the DNS server of the forwarder to be cached. A particularly important firewall policy setting is to block internal users who use the DNS protocol to connect to the external DNS server. 9. Set access controls on DNS registry entries9. set access control at the DNS logon Port On Windows-based DNS servers, you shocould configure access controls on the DNS server-related registry settings so that only the accounts that require access to them are allowed to read or change those registry settings. For Windows-based DNS servers, you need to configure access control on the Logon Settings related to the DNS server, so that only the accounts that require access to them are allowed to read or change these registration settings. The HKLM/CurrentControlSet/services/DNS key shoshould be configured to allow only the Administrator and system account access, and these accounts shoshould have full control permissions. (In the Registry) The HKLM/CurrentControlSet/services/DNS key must be configured to only allow access by administrators and system accounts, and these accounts must have full control permissions. 10. Set access control on DNS File System entries10. set access control at the DNS File System Portal On Windows-based DNS servers, you shocould configure access controls on the DNS server-Related File System entries so that only the accounts that require access to them are allowed to read or change those files. For Windows-based DNS servers, you need to configure access control on the file system portal related to the DNS server, so that only the accounts that require access to these servers are allowed to read or change these files. The % system_directory %/DNS folder and subfolders shoshould be configured to allow only the system account to access the files, and the system account shocould be given full control permissions. % System_directory %/the DNS folder and Its subfolders must be configured to allow only the system account to access the file, and the system account must have full control permissions.