DNS Security Best Practices
Domain Name Server is a redundant, hierarchical and distributed database of hostname information. It’s basic function is to allow the resolution of websites like acme.org to the corresponding IP address.
It is the most innermost component of the internet. No DNS means No Internet.
DNS is a hierachical databae
I mentioned “hierarchy”. This is achieved by having a tree of parent / child domains that form the complete name of a hostname or FQDN - Fully Qualified domain Name.
Each name, such as example.com
, is actually having a trailing dot. So it is in fact example.com.
Here is what each component means:
.
refers to the root DNS server (there are only 13 root servers i.e. F.root-servers.org). These forward DNS requests to the level below.
.com
is the Top Level Domain’s root sever (TLD). Any changes in the TLDs databases is shared with the root servers.
example.com
is the domain name
Types of DNS Servers
There are mainly two types of DNS servers: authoritative and recursive.
- Recursive DNS is a server that acts as a relay. It only send the requests that it receives to the appropriate authoritative server. The response goes back through the recursive to the client.
- Authoritative servers provide the information needed about a certain domain. Also called name server, It is usually, but not always, in the form : ns1.acme.org (though there may be more than one)
Recursive DNS sever stores only as much as the name server is willing to share.
Best practices for DNS security
Here I share some basic DNS security measures:
- Disable zone transfer: the authoritative name server should never share the zone file with a requesting party. It should return the result of specific record and not all of the zone content. To check if a zone transfer is possible on taoufikznibae.com domain, issue:
$ dig taoufikznibae.com AXFR
- Whois information should be protected if possible. Many registrars offer DNS privacy schemes that mask any Personally Identifiable Information (PII).
- Don’t use recursive and authoritative services on the same server. And don’t place both primary and secondary server on the same network.
- Activate the MFA functionality with your registrar.
- Make sure only the DNS process have read/write permissions to zone files and execute this process in a chroot jail.
- You should activate EPP - Extensible provisional protocol - that blocks attempts to transfer your domain, and therefore take ownership of it. “Domain Status: ClientTransferProhibited” prevents a domain transfer from one registrar to another.
Domain Status: ClientTransferProhibited http://www.icann.org/epp#clientTransferProhibited
- Many wireless routers play the role of Recursive DNS. Therefore don’t leave the default passwords and configuration or unused open ports, etc.
- Disable version.bind in named configuration file. Verify using:
$ dig @127.0.0.1 version.bing chaos txt
- Check that you have no open (public) recursive name server (only hosts inside organization should be able to query the recursive).
- DNS outsourcing is very common, when considering your registrar, see the security mechanisms that they are putting in place (MFA, EPPs, etc.). There are many a time when an attacker takes ownership of a domain by simply calling the registrar or using simple Social Engineering techniques.
- A good piece of advice is to make as little changes to domain records for external applications and create another subset of internal domains that will need to be changed more often. This subdomain is by controlled in-house and managed on a different server.
- Be sure all routers and internet gateways are not exposing DNS information to the outside, and that the administration interface is not accessible.
- Always follow principle of least privilege when granting permissions either to processes or to users.