1. Using DNS Forwarders
DNS forwarders are for other DNS servers
The DNS server that completes the DNS query. The primary purpose of using DNS forwarders is to mitigate the pressure of DNS processing, to transfer query requests from DNS servers to forwarders and to benefit from DNS forwarders potentially larger DNS caches.
Another benefit of using DNS forwarders is that it prevents DNS servers from forwarding query requests from Internet DNS servers. This is important if your DNS server keeps a record of your internal domain DNS resources. Instead of having the internal DNS server do a recursive query and contact the DNS server directly, it lets it use forwarders to handle unauthorized requests.
2. Use a caching-only DNS server
Caching only the DNS servers is for authorized domain names. It is used as a recursive query or as a forwarder. When only the DNS server receives a feedback, it saves the results in the cache and sends the results to the system that presents the DNS query request to it. Over time, caching only DNS servers can collect a large amount of DNS feedback, which can greatly shorten the time it provides DNS response.
Use only the buffering DNS server as a forwarder, under your management control, can improve the organization security. The internal DNS server can only buffer the DNS server as its own forwarders, only the DNS server to replace your internal DNS server to complete the recursive query. Using your own caching-only DNS server as a forwarder can improve security because you don't need to rely on your ISP's DNS server as a forwarder, especially if you can't verify the security of your ISP's DNS servers.
3. Using DNS advertisers (DNS advertisers)
The DNS advertiser is a DNS server that is responsible for resolving queries in the domain. For example, if your host is a publicly available resource for domain.com and corp.com, your public DNS server should configure the DNS zone files for domain.com and corp.com.
DNS advertiser settings other than other DNS servers hosted by the DNS zone file are queries for DNS advertisers to answer only their authorized domain names. This DNS server does not perform recursive queries against other DNS servers. This makes it impossible for users to use your public DNS server to resolve other domain names. Increased security by reducing the risk associated with running a public DNS resolver, including cache poisoning.
4. Use DNS Resolver
A DNS resolver is a DNS server that can complete a recursive query, which resolves to an authoritative domain name. For example, you might have a DNS server on your internal network that authorizes an internal network domain name internalcorp.com DNS server. When a client on the network uses this DNS server to resolve techrepublic.com, the DNS server performs recursion by querying to other DNS servers to get answers.
The difference between a DNS server and a DNS resolver is that the DNS resolver is only for resolving the Internet host name. A DNS resolver can be a caching-only DNS server that does not authorize DNS domain names. You can make the DNS parser only for internal users, you can also make it only for external users, so you do not have to control the outside to set up a DNS server, thereby improving security. Of course, you can also allow DNS parsers to be used by both internal and external users.
5. Protect DNS from cache contamination
DNS cache contamination has become an increasingly common problem. Most DNS servers are able to store DNS query results in the cache before replying to the requesting host. DNS caching can greatly improve DNS query performance within your organization. The problem is that if your DNS server's cache is "contaminated" with a lot of fake DNS information, users may be sent to a malicious site instead of the site they originally wanted to visit.
Most DNS servers are configured to block cache contamination. WindowsServer 2003 The default configuration state of the DNS server can prevent cache contamination. If you are using a Windows DNS server, you can configure it, open the Properties dialog box for the DNS server, and click the Advanced table. Select the Prevent cache contamination option, and then restart the DNS server.
6. Make DDNS only use secure connection
Many DNS servers accept dynamic updates. The dynamic update attribute enables these DNS servers to record the host name and IP address of a host that uses DHCP. DDNS can significantly reduce the administrative costs of DNS administrators, otherwise administrators must manually configure DNS resource records for these hosts.
However, if an DDNS update is not detected, it can cause serious security problems. A malicious user can configure the host to become a file server, a Web server, or a dynamically updated DNS host record for the database server, and if anyone wants to connect to those servers, it will be transferred to another machine.
You can reduce the risk of a malicious DNS upgrade by requiring a secure connection to a DNS server to perform a dynamic upgrade. This is easy to do, as long as you configure your DNS server to use the Active Directory complex (Active Directory integrated Zones) and require a secure dynamic upgrade. As a result, all domain members are able to securely and dynamically update their DNS information.
7. Disabling zone transfers
Zone transfers occur between the primary DNS server and the DNS server. The primary DNS server authorizes a specific domain name and has a rewritable DNS zone file that can be updated when needed. Receives a read-only copy of these zone files from the DNS server from the main DNS server. From DNS servers are used to improve response performance from internal or Internet DNS queries.
However, zone transfers are not just for DNS servers. Any person who can make a request for a DNS query can cause DNS server configuration changes that allow zone transfers to dump their own zone database files. This information can be used by malicious users to detect naming schemes within your organization and to attack critical service architectures. You can configure your DNS server to prohibit zone transfer requests, or to allow zone transfers only for specific servers within your organization for security protection.
8. Use a firewall to control DNS access
Firewalls can be used to control who can connect to your DNS server. For DNS servers that respond only to internal user query requests, you should set up the firewall configuration to prevent external hosts from connecting to these DNS servers. For DNS servers that are used as caching-only forwarders, the configuration of the firewall should be set up to allow only those query requests sent by DNS servers that use only a forwarder to cache. An important point in firewall policy settings is to prevent internal users from using the DNS protocol to connect to external DNS servers.
9. Establish access control in the DNS registry
In a windows-based DNS server, you should set access control in the DNS server-related registry so that only those accounts that need to be accessed can read or modify these registry settings.
The Hklm\currentcontrolset\services\dns key should only allow administrator and system accounts to access, and these accounts should have full control rights.
10. Set access control at the DNS file system portal
In a windows-based DNS server, you should set access control at the file system portal associated with the DNS server so that only accounts that need to be accessed can read or modify the files.
The%system_directory%\dns folder and subfolders should only allow system account access, and the system account should have full control.