Developer

Ramp up DNS security with these three steps

Take action with these tips that you can immediately use to ensure the basic security of your DNS servers.


This article is from TechRepublic's Security Solutions e-newsletter. Sign up instantly to begin receiving the Security Solutions e-newsletter in your inbox.

A few months ago, I explained how to improve DNS security ("Strengthen vulnerable areas to improve DNS security"). This solution highlighted the most common problems of current DNS implementations.

Afterward, I heard from several readers, who asked for more in-depth information to help secure these valuable network assets. Let's look at three common problems and solutions. I'll tell you how to make the recommended changes in both Windows and UNIX.

Stop cache poisoning
Cache poisoning occurs when a name server makes a recursive query and caches bogus data for a domain name. This can result in denial of service (DoS) or man-in-the-middle attacks. However, you can eliminate this vulnerability.

In Windows 2000 or Windows Server 2003, follow these steps:
  1. Go to Start | Control Panel.
  2. Click Performance And Maintenance, and click Administrative Tools.
  3. Double-click DNS.
  4. In the console tree, select the applicable DNS server.
  5. Go to Action | Properties.
  6. On the Advanced tab, select the Secure Cache Against Pollution check box in the Server Options section, and click OK.

In UNIX flavors of BIND, edit the named.conf file, and make the following changes:
acl internal { xxx.xxx.xxx.0/xx; }; ! Your network block
options {
recursion no;
allow-query { internal; };
...};

Disable recursive queries
External name servers should run in a passive mode. They should never send queries on behalf of other name servers or resolvers.

By default, your Windows DNS server performs recursive queries. Recursion is a DoS attack tool used by crackers to shut down a name server and make a site inaccessible to outside users.

You should definitely disable recursion. In Windows, issue the following command at a command prompt:
dnscmd <ServerName> /Config /NoRecursion 1

In UNIX flavors of BIND, implementing security against cache poisoning (as demonstrated in the previous section) also turns off recursion.

Use a single interface
By default, DNS listens and responds on the appropriate ports on all configured interfaces. If your server is multihomed, then you have a potential security breach on multiple IP addresses.

In addition, this increases the complexity of your access control lists on your routers and switches. However, you can configure your DNS server to listen on only one IP address.

In Windows 2000 or Windows Server 2003, follow these steps:
  1. Open DNS.
  2. In the console tree, select the applicable DNS server.
  3. Go to Action | Properties.
  4. On the Interfaces tab, select Only The Following IP Addresses.
  5. In the IP Address text box, enter an IP address for the DNS server you want to enable for use, and click Add.

In UNIX flavors of BIND, you can't natively control which ports are open on a multihomed interface. If the "named" service is running, all IP addresses will listen for traffic. To gain greater control over this problem, check out the ucspi-tcp package created by D.J. Bernstein.

Final thoughts
After implementing these changes to your name server configuration, verify that you only allow TCP/UDP port 53 traffic to and from your server. This step completes the basic lockdown of your DNS servers.

As I've mentioned before, these servers are vital to the healthy functioning of your network. You must actively monitor them and keep them patched and up to date.

Editor's Picks

Free Newsletters, In your Inbox