Protecting DNS servers - Part 4

In last week's tip, I covered the first two DNS security precautions from the list below:

  • Secure dynamic updates
  • DNS resource record registration quotas
  • Delegate DNS administration
  • Use secured

    Requires Free Membership to View

  • routing
  • Maintain a split DNS namespace
  • Disable recursion

The next two DNS security improvements are delegating DNS administration and using secured routing.

The zone containers used to store DNS information have pre-defined access restricted. You should evaluate the current state of the ACLs on these containers to ensure they represent the most secured configuration possible for your specific environment. Users need only read access to zone information. By default, full access to all DNS elements is assigned to Administrators, Domain Admins, Enterprise Admins, and DNS Admins. All others have read access assigned by default.

Using secure routing options is another important issue to consider. Queries may be received by a DNS server through various means. They may be routed through conditional forwarding, sent from secondary zones, or via a root hint. Depending on the placement of DNS servers and firewalls in your network, different configurations are needed.

When two AD namespaces managed by different DNS servers are separated by a firewall, access is only needed into the domain that hosts the DNS server acting as a forwarded. Otherwise, if secondary zones or delegated zones are used across the firewall, then two-way DNS communication is necessary.

Making a choice between secondary zones and forwarding is not easy and straightforward. Secondary zone information is not stored in AD. Instead, it is stored in a text file. This exposes secondary zone DNS configuration to attack. Forwarding does not store data in text files, however it will increase name resolution traffic on your network. Forwarders also slightly reduce the fault tolerance of your overall DNS infrastructure. The reduction in fault tolerance is based upon the notion that you will rely upon forwarders which do not include redundant copies of the DNS data instead of true DNS servers which do provide redundancy by maintaining a copy of the DNS data set. Also, forwarders forward DNS queries that are not locally resolvable from its cache (i.e. a storage area of previously resolved queries) to a single specific DNS server. If that one DNS server is offline or unavailable, forwarding fails as well.

If you host a DNS root internally, configure the root hints of all DNS servers in your domain to point only to your internal DNS root. Do not allow them to point to public Internet DNS root servers. Otherwise, this would allow your private information to be sent over the Internet when external DNS is used for resolution.

I'll tackle the final two DNS security improvements in the next tip.

James Michael Stewart is a partner and researcher for ITinfopros, a technology-focused writing and training organization.

This was first published in August 2004

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.