DNS Security Best Practices

DNS security best practices are vital for all organizations since the service has become critical to almost all operations involving networked applications. It facilitates the communication of networked applications. Also, DNS has become dauntingly sophisticated in implementation and theory.

Meanwhile, cyber adversaries have increasingly set their eyes on attacking DNS infrastructure. An unavailable DNS service means applications cannot communicate, and this may halt essential operations. DNS security best practices are pertinent for ensuring the continuous availability and health of the DNS infrastructure.

The following list of DNS Security Best Practices can ensure DNS has a dependable performance and remains secure.

1. Ensure DNS logs all activities – One of the most important DNS Security Best Practices

Security professionals recommend DNS logging as an effective strategy for monitoring DNS activities and events. DNS logs provide valuable insights into whether malicious individuals attempt to meddle with the DNS servers. Other than the clients’ operations, DNS debug logs to identify existing issues in the DNS updates or queries.

Moreover, DNS reveals any traces that point to cache poisoning. In this situation, a cyber adversary changes the data housed in the DNS cache to target clients with malicious inputs. For instance, changing the IP address of a legitimate website to that of a malicious website may cause the DNS server to redirect clients to malware-infested websites. Such actions can compromise the security of an entire company. Whereas DNS debug logging is vital to strengthening DNS security, some system administrators may disable it to boost performance. Monitoring the network activity ensures timely detection of attacks, such as Distributed Denial of Service (DDoS) attacks.

2. Lock the DNS cache

The DNS locates a client’s query information and stores it in a cache as a reference in future usage. The process improves the response speed of the DNS servers when the client makes the same queries again.

However, cybercriminals can exploit the feature to alter the already stored information. As such, locking the DNS cache is an essential requirement needed to complement the DNS debugging log feature. This best practice enables system administrators to determine when to change the cached data. The DNS server only stores the lookup information for the specified time defined in the time to live (TTL).

Disabling the cache lock means the store information can be modified or overwritten before the expiry period of TTL, paving the way for cache poisoning attacks. Depending on the implemented operating systems, companies can choose to enable the default cache locking. The scale of locking cache can be defined to go up to 100% to prevent altering of the cache information until the expiry period of the TTL.

3. Enable DNS filtering

DNS filtering provides an effective way method of blocking users from gaining access to malicious domains or websites. It allows system administrators to block name resolutions of domains or sites known to contain malicious content. If a client proceeds to send a query requesting access to a blocked domain, the DNS server immediately cuts off all communications. Therefore, DNS filtering minimizes the possibility of malware and viruses reaching the organizational network significantly. When a client is unable to access a blocked, malicious webpage, the security control keeps possible security threats that target IT infrastructure at bay. Subsequently, IT security experts do not require to clean up dangerous malware continuously.

Additionally, a company may seek to block specific domains in line with existing IT policies. For example, many organizations block some websites to ensure the employees remain highly productive. Examples of such domains are video streaming, illicit material, social media, and gambling sites. System administrators can filter DNS requests according to groups or individual users, or prevent all users from accessing specific websites.

Most frequently, modern firewall and software security solutions come equipped with standardized DNS filtering. Using such appliances provides companies with lists of malicious domains, which are updated regularly. Organizations can leverage automated DNS filtering and avoid the manual, absolutely inefficient manual entries.

4. Use DNSSEC to validate the integrity of DNS data.

The Domain Name System Security Extensions (DNSSEC) enables clients to receive only valid responses to requested queries. DNSSEC ensures integrity by digitally signing the DNS data sent to name servers. Once a client makes a query request, the DNS server checks to ensure that the response has a valid digital signature to alert clients that they can trust the sent information. DNSSEC is an additional security layer that assists in protecting against a DNS protocol attack.

Moreover, since DNSSEC provides origin authority and data integrity, attacks such as cache poisoning and DNS spoofing can be prevented successfully. Clients, therefore, remain confident they visit the intended pages.

5. Ensure accurate configuration of access control lists

Access control lists are vital to securing DNS servers from spoofing attacks and unauthorized access attempts. For the DNS servers to remain secure, only the system and IT administrators can access the primary DNS. Accurate configurations of the access control list to permit a specific host to connect to a name servers ensures that only the legitimate clients can communicate with the DNS servers.

Besides, access control lists should define the servers permitted to allow zone transfers. Cyber adversaries may attempt to use secondary DNS servers to send zone transfer requests to determine the organizational network zone setup. Blocking zone transfer requests made through a secondary DNS server prevents cybercriminals from obtaining zone information. The configurations are vital since they prevent malicious or unauthorized third-parties from understanding the organization of the internal network.

6. Separate authoritative from recursive name servers

Authoritative name server scans only the local database to identify a name and the corresponding IP address. On the other hand, the recursive name servers search a hierarchy of additional name servers on top of the local database to identify a name and corresponding IP addresses.

Companies should use different recursive and authoritative name server machines to isolate and separate the roles according to the network’s logical views. Also, system administrators require to configure authoritative name servers such that only other authoritative name servers can send DNS updates. Since authoritative name servers don’t have caching capabilities, corrupted or fraudulent database entries my have far-reaching impacts.

7. Use Anycast to enable forwarding routers to redirect DNS queries.

Routers utilize Anycast to enable multiple servers to use similar IP addresses and send network communication and messages to the most crucial server instead of a particular server. Name servers use Anycast to exhibit resilience, dilute the impacts of a DDoS attack to mitigate it and share a workload.

Using Anycast increases the resiliency of a network since routers become dynamic and flexible to redirect traffic to the available but nearest server. If a company disconnects a server from its network, Anycast redirects traffic to the closest accessible server. As a result, the strategy increases the surface area of a system, that is, the network part exposed to security threats and attacks, thus mitigating a DDoS attack impact by spreading traffic across various servers.

8. Deploy dedicated DNS appliances

Like most network appliances, DNS applications are designed and built for a specific purpose. Therefore, both software and hardware are configured with performance, ease of management, and security in mind. Typical operating system servers do not possess the capabilities and levels of tuning offered in dedicated DNS appliances. The benefits of implementing dedicated DNS applications are similar to those of other network appliances, including maximizing the availability of the Random Access Memory (RAM), limit the driver requirements, restrict the chatter of different networks on interfaces, and limited unnecessary ports.

In essence, leveraging the use of purpose-driven appliances in DNS architecture means that it is possible to strip all unnecessary protocols, drivers, and applications, thus significantly minimizing the attack surface. The targeted functionalities enable security features, such as logging and monitoring, to focus on specific protocols and services. Furthermore, activities like audit logging, change tracking, and user administration can be significantly enhanced and targeted to relevant security functionalities.

9. Update the DNS server regularly

Cyber adversaries will always seek to exploit the security vulnerabilities present in the DNS server software. DNS continues to be a prime target of attacks since compromising it enables adversaries to use the DNS server for data exfiltration and command and control attacks. The risks underscore the essence of ensuring the DNS server software has the latest software updates to prevent attacks. However, the independent server design can cause challenges in installing timely updates and security updates since the process is done on a per-server basis. The best strategy for installing architecture-wide updates is by opting for a centrally managed solution. Besides, since DNS servers are resilient and do not provide warnings once they are outdated, organizations must be proactive in deploying the security patches.

10. Ensure the recursive DNS queries have response time limits

Companies should ensure to use response rate limiting as a way of throttling the speed through which authoritative name servers respond to queries made from a specific IP address. Most name server programs, such as NSD, Knot, and Bind 9.6.4 or later, support response rate limiting. A name server uses the response rate limiting to remember the times it has responded with the same answer to the same querier. Once the rate exceeds the pre-configured threshold, the name server takes longer to send a response. Therefore, the name server will not be able to respond to queries any faster than the configured threshold. A name server compliant to the response rate limiting thus becomes immune to various DDoS attack types.

11. Hide the primary DNS server

System administrators should ensure to hide the organization’s primary DNS server from the public view. As such, they should configure the DNS servers visible to the public as slaves while designating the primary DNS server to be master name server not visible to the public. A hidden or stealth master name server does not record the NS records in a DNS database that is accessible to the public. Only the slave name servers can be accessed publicly. As such, the slave and stealthy master architecture averts public interrogation of the name servers by zone or query transfer. Also, the architecture ensures the integrity of DNS databases of the slave name servers remains intact since only the concealed master server can upgrade slave servers through the push operation.

12. Configure the DNS socket pool

The DNS socket pool enables the DNS server to utilize randomized source ports for use in DNS lookups. Utilizing the random ports permits the DNS server to randomly choose a source port from a pool of idle sockets. Rather than use the same port for multiple operations, the DNS server selects a random port from the available pool, thus increasing the difficulties of guessing the source port used for source port DNS queries. Some operating systems support the configuration by default.

13. Harden the name servers

The name server computers should only run the name server software and the installed operating system. The name server computer should also perform a dedicated role of supporting the network activities. Installing other software products in the name server computer only attracts hacktivist attempts. Besides, additional software can degrade the performance of the name server computer and may cause it to crash if bugs are present. On the same note, the only connection a name server should have is the network link for acquiring updates and for responding to DNS queries. Additional network cables or open ports expands the attack surface.

14. Ensure DNS high availability and redundancy

The DNS is the communication pillar of network applications and must, therefore, be available 24/7. Organizations should ensure to accomplish the necessary redundancy by deploying at least a secondary and primary DNS server within the company. Also, implementing two servers at the very least can ensure business-critical run throughout. Vital services, such as email, file sharing, and active directory services, depend on proper DNS operations. Ensuring redundant and high availability functional and healthy internal DNS servers ascertain the internal applications and devices communicate continuously.

DNS Security Best Practices – Summary

Implementing these DNS security best practices will ensure that your organization is well defended against hackers that may target DNS.  Have any comments, feedback, or a DNS Security Best Practice to add to this list?  Please leave me a comment and let me know.




Leave a Comment