Expert advice: 10 Ways to protect the DNS server

DNS software is the target of hackers ' passion for attack, which can bring security problems. Here are some of the most effective ways to protect http://www.aliyun.com/zixun/aggregation/33842.html ">dns servers."

1. Using DNS Forwarders

A DNS forwarder is a DNS server that completes DNS queries for other DNS servers. Using DNS to turn

The main purpose of the transmitter is to mitigate the pressure of DNS processing, to transfer query requests from the DNS server to forwarders and to benefit from the potentially larger DNS cache of DNS forwarders.

Another benefit of using DNS forwarders is that it prevents DNS servers from forwarding query requests from Internet DNS servers. This is important if your DNS server keeps a record of your internal domain DNS resources. Instead of having the internal DNS server do a recursive query and contact the DNS server directly, it lets it use forwarders to handle unauthorized requests.

2. Use a caching-only DNS server

Caching only DNS servers is for authorized domain names. It is used as a recursive query or as a forwarder. When only the DNS server receives a feedback, it saves the results in the cache and sends the results to the system that presents the DNS query request to it. Over time, caching only DNS servers can collect a large amount of DNS feedback, which can greatly shorten the time it provides DNS response.

Use only the buffering DNS server as a forwarder, under your management control, can improve the organization security. Internal DNS servers can only buffer DNS servers as their own forwarders, only the DNS server to replace your internal DNS server to complete the recursive query. Using your own caching-only DNS server as a forwarder can improve security because you don't need to rely on your ISP's DNS server as a forwarder, especially if you can't verify the security of your ISP's DNS servers.

3. Using DNS advertisers (DNS advertisers)

The DNS advertiser is a DNS server that is responsible for resolving queries in the domain. For example, if your host is a publicly available resource for domain.com and corp.com, your public DNS server should configure the DNS zone files for domain.com and corp.com.

DNS advertiser settings other than other DNS servers hosted by the DNS zone file are queries for DNS advertisers to answer only their authorized domain names. This DNS server does not recursively query other DNS servers. This makes it impossible for users to use your public DNS server to resolve other domain names. Increased security by reducing the risk associated with running a public DNS resolver, including cache poisoning.

4. Use DNS Resolver

A DNS resolver is a DNS server that can complete a recursive query that resolves to an authoritative domain name. For example, you might have a DNS server on your internal network that authorizes an internal network domain name internalcorp.com DNS server. When a client on the network uses this DNS server to resolve techrepublic.com, the DNS server performs recursion by querying to other DNS servers for answers.

The difference between a DNS server and a DNS resolver is that the DNS resolver is only for resolving the Internet host name. A DNS resolver can be a caching-only DNS server that does not authorize DNS domain names. You can make the DNS parser only for internal users, you can also make it only for external users, so you do not have to control the outside to set up a DNS server, thereby improving security. Of course, you can also allow DNS parsers to be used by both internal and external users.

5. Protect DNS from cache contamination

DNS cache contamination has become an increasingly common problem. Most DNS servers are able to store DNS query results in the cache before replying to the requesting host. DNS caching can greatly improve DNS query performance within your organization. The problem is that if your DNS server's cache is "contaminated" with a lot of fake DNS information, users may be sent to a malicious site instead of the site they originally wanted to visit.