Best practices for DNS security
Securing the DNS must be a priority because it is so central to the proper functioning of every IP network. Employing the best possible protections for the DNS will pay huge dividends over time. The good news is that it is not hard. Most of the essential groundwork should be covered with standard IT processes for securing critical systems. The rest is simple due diligence.
Below is a checklist of best practices that will not only ensure the best DNS security, but also the best performance, and best availability. Best of all operations will be simplified too.
1. Demand built-in layered defenses for the DNS. Priority one is employing multiple defenses against cache poisoning. How much of your IT infrastructure is protected with a single defense? Why would you be comfortable protecting the DNS with just one defense? It is one of the most attractive targets in the network because compromise is so insidious. Are you willing to risk having your corporate secrets sent to a competitor? Transparent redirection of network traffic caused by cache poisoning can wreak havoc with email. As with every other IT system layered defenses for the DNS ensure that if one defense is compromised others stand in the way of a success for the attacker.
2. Deploy DNS servers optimized for their respective functions. Merely separating caching and authoritative functions is insufficient. Caching and authoritative servers are susceptible to different kinds of attacks, and protections for each are different. With purpose built software it is simple to deploy optimized protections for each platform (in fact defaults for each will already be optimal in most cases). As a bonus, performance of purpose built platforms will be better, and operational processes can be tailored for each, overall configuration management will be simpler and each platform will be more reliable.
3. Optimize the configuration of purpose built DNS servers. Restricting access to caching servers exclusively to authorized users is a natural fall out of deploying a purpose built caching server. The caching configuration can easily be “closed” to the defined user base (IP address range(s)). At the same time, on the authoritative side zone transfers can easily be restricted to authorized secondary name servers while keeping the server “open” for queries from the Internet. Both configurations can be optimal, maximizing security, without conflict between the configurations.
4. Caution! DNS forwarding architectures are a false promise. “Forwarding” designs are often suggested as a means to protect the DNS infrastructure against software flaws. The idea behind “forwarding” is that a large number of DNS servers at the bottom of a hierarchy forward DNS queries to a small number of DNS servers that are exposed externally. On the surface this seems simple but the underlying problem, flawed software, remains. An important question to ask is: “Would you consider such an approach for other IT systems?” the answer is almost always “No”, even for inconsequential systems. Software that has a track record of flaws and patches should be replaced altogether. Reducing the scale of the exposure is a band-aid that will ultimately fail, with catastrophic results when the system in question is the DNS.
5. Audit IT processes. Periodically verify that basic best practices are always employed in deploying network services such as DNS. There are some obvious things that should be checked. Operating systems should always be locked down on critical systems such as the DNS. The latest security features should always be employed. Limit access to the configuration and management facilities (CLI, SNMP). Verify configurations before committing them to production. These should all be rote for IT staff, embedded in day to day work habits, but monitoring is prudent to ensure compliance. As an aside it is also worth understanding the burden imposed by patching DNS systems – compare vendors track records with CERTs and other mandatory patches. Fewer patches means less exposure and ultimately saves money and stress on the organization.
6. Consider DNS Service Offerings. Even the most IT centric companies have business priorities beyond day to day care and feeding of network infrastructure. It may also be difficult to staff and/or retain in house DNS expertise. Under these circumstances DNS service offerings might be appropriate. The 5 items contained in this article can easily be adapted into a simple check list that can be used to rapidly evaluate hosted DNS service offerings.