Tech Tip: Ramp up DNS security with these three steps

Here's how to Ramp up DNS security in three steps.

By Mike Mullins

I've previously explained how to improve DNS security ("Strengthen vulnerable spots to improve DNS security") This solution highlighted the most common problems of current DNS implementations.

Let's look at an additional three common problems and solutions. I'll tell you how to make the recommended changes in both Windows and UNIX.

Stop cache poisoning

Cache poisoning occurs when a name server makes a recursive query and caches bogus data for a domain name. This can result in denial-of-service (DoS) or man-in-the-middle attacks. However, you can eliminate this vulnerability.

In Windows 2000 or Windows Server 2003, follow these steps:

  1. Go to Start | Control Panel.
  2. Click Performance And Maintenance, and click Administrative Tools.
  3. Double-click DNS.
  4. In the console tree, select the applicable DNS server.
  5. Go to Action | Properties.
  6. On the Advanced tab, select the Secure Cache Against Pollution check box in the Server Options section, and click OK.

In UNIX flavors of BIND, edit the named.conf file, and make the following changes:

acl internal {; }; ! Your network block
options {
recursion no;
allow-query { internal; };

Disable recursive queries

External name servers should run in a passive mode. They should never send queries on behalf of other name servers or resolvers.

By default, your Windows DNS server performs recursive queries. Recursion is a DoS attack tool used by crackers to shut down a name server and make a site inaccessible to outside users.

You should definitely disable recursion. Issue the following command at the command line:

dnscmd <ServerName> /Config /NoRecursion 1

In UNIX flavors of BIND, implementing security against cache poisoning also turns off recursion.

Use a single interface

By default, DNS listens and responds on the appropriate ports on all configured interfaces. If your server is multihomed, then you have a potential security breach on multiple IP addresses.

In addition, this increases the complexity of your access control lists on your routers and switches. However, you can configure your DNS server to listen on only one IP address.

In Windows 2000 or Windows Server 2003, follow these steps:

  1. Open DNS.
  2. In the console tree, select the applicable DNS server.
  3. Go to Action | Properties.
  4. On the Interfaces tab, select Only The Following IP Addresses.
  5. In the IP Address text box, enter an IP address for the DNS server you want to enable for use, and click Add.

In UNIX flavors of BIND, you can't natively control which ports are open on a multihomed interface. If the named service is running, all IP addresses will listen for traffic. To gain greater control over this problem, check out the ucspi-tcp package created by D.J. Bernstein.

Final thoughts

After implementing these changes to your name server configuration, verify that you only allow TCP/UDP port 53 traffic from and to your server. This step completes the lockdown of your name servers.

As I've mentioned before, these servers are vital to the health and function of your network. You must actively monitor them and keep them patched and up to date.

Mike Mullins has served as a database administrator and assistant network administrator for the U.S. Secret Service. He is a Network Security Administrator for the Defense Information Systems Agency.

Editor's Picks

Free Newsletters, In your Inbox