All-round attack makes the DNS server impeccable

Recently, DNS security events have frequently occurred, and the security of DNS has been valued again. As a DNS server for domain name resolution, it is called a "man-in-the-middle" of the network. Its role in the network is self-evident. The DNS server is the core server of an enterprise. Its healthy, secure, and stable operation plays an important role in the performance and security of the enterprise network. The so-called "big treasure" has become the target of attacks that attackers are keen on. How can we protect the DNS server?

　　I. Preventive measures

1. Clean DNS cache from pollution

Most DNS servers can save the DNS query results in the cache before they reply to the requesting host. The DNS high-speed cache can greatly improve the DNS query performance inside the network and greatly improve the DNS performance. When new DNS requests exist, the DNS information can be directly queried and retrieved from the cache, it saves time and improves the performance of the DNS server and the access speed of the enterprise network. However, the DNS cache is also a double-edged sword. If the DNS information in it is maliciously modified, it will not only fail to accelerate DNS, but also mislead the DNS server into failing to perform DNS resolution, it even causes DNS hijacking to direct users to a malicious site, rather than the site the user wants to access. Therefore, you must "purify" the DNS cache to prevent it from being "contaminated ".

Most DNS servers can prevent cache pollution through configuration. The default configuration status of Windows Server 2003 DNS Server can prevent cache pollution. If you are using a Windows 2000 DNS server, you can configure it to prevent pollution. The operation is as follows: Open the "attributes" dialog box of the DNS server, click the "advanced" tab, select the "Prevent cache pollution" option, and then restart the DNS server. (Figure 1)

　　

2. Assign permissions to the registry items related to DNS.

A Windows-based DNS server creates corresponding registry entries in the Registry, which are critical to the DNS server. Therefore, to protect the DNS server, do not ignore the protection of these registry items. By setting access control in the Registry related to the DNS server, grant permissions so that only accounts that need access can read or modify these registry settings, so as to maximize the security of the DNS server and avoid malicious modification or attacks.

The registry key related to DNS in the registry is "HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesDNS". Open the Registry Editor, locate the registry key, and right-click it and select "permission ", on the "Security" tab, grant permissions as needed. I suggest that you do not assign permissions to a group, such as the Administrators group, which is difficult but can protect the security of DNS servers. Generally, attackers obtain the permissions of a group during the attack. Therefore, we can grant permissions to users to prevent the DNS server from being sold by the entire user group. The principle of authorization is that the system must have full control permissions, retain the permissions of the default user group, and then grant specific administrator user permissions. (Figure 2)

　　
3. Implement DNS-Related File Access Control

In a Windows-based DNS server, the DNS server creates files such as Boot, Cache. dns, Root. dns, and Zone_name.dns. These files record the DNS configurations that have been cached. To protect these files, use the NTFS file system for permission restrictions, and control access to these files, only accounts that need access can read or modify these files, other users have no permissions to avoid unauthorized modification and other operations.

DNS-related files are stored in the C: WINDOWSsystem32dns folder and subfolders. You need to set the permissions for these folders so that access control is only allowed by system accounts. The principle of security is that the Service system Account (system) has full control permissions. In addition, it grants specific permissions to authorized users and avoids granting permissions to user groups directly. (Figure 3)

　　

4. DNS server isolation

By caching only the DNS server, the internal DNS server is isolated from the external server, which greatly improves the security of the DNS server. Using a buffer-only DNS server as a forwarder can improve organizational security under your management control. The internal DNS server can use the buffer DNS server as its own forwarder, and only buffer the DNS server to complete recursive queries instead of your internal DNS server. Using your own buffer DNS server as a forwarder can improve security, because you do not need to rely on your ISP's DNS server as a forwarder, this is especially true if you cannot confirm the security of your ISP's DNS server.

The so-called buffer-only DNS server is for the authorized domain name, it is used for Recursive queries or use a forwarder. When the DNS server only receives a feedback, it stores the result in the cache and sends the result to the system that sends a DNS query request to it. Over time, caching only the DNS server can collect a large amount of DNS feedback, which can greatly shorten the time it provides DNS response.

5. Reasonably configure Regional Transmission

Regional Transmission occurs between the primary DNS server and the secondary DNS server. The primary DNS server authorizes a specific domain name and carries a DNS region file that can be rewritten. You can update the file as needed. The primary DNS server receives read-only copies of files from these regions. The slave DNS server is used to improve the query response performance from internal or Internet DNS.

However, regional transmission is not just for slave DNS servers. Any person who can send a DNS query request may change the configuration of the DNS server, allowing regional transmission to dump their own regional database files. Malicious users can use this information to detect internal naming plans in your organization and attack key service architectures. If the DNS server allows regional transmission for anyone, the host name, Host IP address list, router name, and Route IP address list in the network architecture are as follows, even the locations and hardware configurations of each host are easily obtained by intruders. Therefore, it is necessary to restrict regional transmission. You can configure your DNS server to disable Regional Transmission requests, or allow only regional transmission for specific servers in the organization for security protection.

6. Make ddns use only secure connections

DDNS can map users' Dynamic IP addresses to a fixed DNS service, each time a user connects to the network, the client program transmits the dynamic IP address of the host to the server program on the host of the service provider, the Service Project program is responsible for providing DNS services and implementing dynamic domain name resolution.

Many DNS servers accept dynamic updates. The Dynamic Update feature enables these DNS servers to record the host names and IP addresses of hosts using DHCP. DDNS can greatly reduce the management cost of the DNS administrator. Otherwise, the Administrator must manually configure the DNS resource records of these hosts.

However, undetected DDNS updates may cause serious security issues. A malicious user can configure the host to be a DNS host record dynamically updated by a file server, Web server, or database server. If someone wants to connect to these servers, they will be transferred to other machines.

You can reduce the risk of malicious DNS upgrades by requiring a secure connection to the DNS server for dynamic upgrades. This is easy to achieve. You only need to configure your DNS server to use the Active Directory Integrated Zones and require a security dynamic upgrade. In this way, all domain members can update their DNS information securely and dynamically.

　　Ii. Scaling Optimization

1. Use a DNS Forwarder

A dns forwarder is a DNS server that completes DNS query for other DNS servers. The main purpose of using a DNS forwarder is to reduce the pressure on DNS processing, forward query requests from the DNS server to the forwarder, and benefit from the DNS Forwarder's potential for greater DNS cache.

Another advantage of using a DNS forwarder is that it prevents the DNS server from forwarding query requests from the Internet DNS server. This is important if your DNS server saves your internal domain DNS resource records. Instead of allowing the internal DNS server to perform recursive queries and directly contact the DNS server, the server uses a forwarder to process unauthorized requests.

The setting procedure is as follows: Open the "DNS" Console window, right-click in the "Tree" directory to set as the name of the forwarding DNS server, and select "properties" in the shortcut menu ", in the displayed computer Properties dialog box, select the "forwarder" tab to add or modify the IP address of the forwarder. Select "all other DNS domains" in the "DNS" domain list box, and then type the IP address of the DNS server provided by the ISP in the "ip address list of the forwarder for the selected domain" box, click Add. Repeat the operation to add IP addresses of multiple DNS servers. Note that in addition to the IP address of the DNS server of the local ISP, you can also add IP addresses of DNS servers of other famous ISP. (Figure 4)

　　
2. Enable DNS Resolvers

Recursive query can greatly free up the local DNS server and hand over the query task to another DNS server for query execution to obtain the answer. A dns parser is a DNS server that can perform recursive queries. It can be resolved to an authorized domain name. For example, you may have a DNS server on the internal network and authorize the DNS server of the internal network domain name lw.com. When a client on the network uses this DNS server to resolve ctocio.com.cn, this DNS server performs recursion by querying other DNS servers to obtain the answer.

The DNS parser can be an unauthorized DNS domain name that only caches the DNS server. You can enable DNS resolution to be used only for internal users. You can also enable DNS resolution to only serve external users, so that you do not need to set up a DNS server outside of the control, this improves security. Of course, you can also enable DNS Resolvers to be used by both internal and external users.

3. Firewall restricts access to DNS servers

Design firewall policies based on actual needs and use firewalls to control users' access to DNS servers. For DNS servers that only respond to internal user query requests, configure a firewall to prevent external hosts from connecting to these DNS servers. If you are using a DNS server that only caches the forwarder, you should configure the firewall to only allow query requests sent by DNS servers that only cache the forwarder. An important aspect of firewall policy setting is to prevent internal users from using the DNS protocol to connect to external DNS servers. Used to isolate users and DNS

The server firewall can be either a hardware firewall or a software firewall. I think ISA is a good choice.

4. genuine and false DNS servers

To protect the DNS server, we can deploy two or more DNS servers in the enterprise. Create a DNS server on a host that can communicate with external users. This server enables it to announce that it has