DNS is an integral part of network connectivity, but, by virtue of its simplistic design lacks security. Listed here are 9 ways to negate these shortcomings and thus, protect your data.
1. Use DNS Forwarder
DNS Forwarder essentially forwards queries from one DNS server to another. Thus, your internal DNS server doesn’t actually connect domain names to IPs and instead uses a larger DNS to do it. This make it safe from spoofing.
2. Use Caching-only Servers
Caching only DNS servers are not authoritative and have only one function – to cache the resolve. For all queries, it forwards the data to an authoritative DNS and only caches the answer.
3. Use DNS Advertisers
The DNS advertiser only answers queries for authoritative domains and does not perform recursions. Thus, users cannot access your public server. This prevents the general risks of a public server, including cache poisoning.
4. Use DNS Resolvers
A DNS resolver performs recursion queries to only resolve names for non-authoritative DNS servers. DNS resolver may be internal, external or both.
5. Protect DNS from Cache Poisoning
Cache poisoning involves seeding the DNS cache with rogue domains in order to redirect users to malicious sites. Use DNS Server tools to configure your cache to prevent pollution. BlueCat protects the DNS for this and many other attacks.
6. Enable DDNS for Secure Connections
Limit access to DNS server for dynamic configuration so that malicious devices cannot gain control and pollute the server. Active Directory integrated zones can be used to prevent unauthorized updates.
7. Disable Zone transfers
While zone transfers allow secondary DNS to communicate with the primary server, any rogue query can also cause dumping of zonal databases. This can be exploited by malicious agents to reconfigure your server. Disable zone transfer to prevent it.
8. Use firewalls
Configure your firewalls to block access to DNS server by external hosts. This way you can limit your network and restrict their use thereby minimizing risk of corruption.
9. Set Access Controls on DNS Registry Entries
Windows based DNS should be configured to allow access to key registry only be specific agents that may require them. You can do this by changing the HKLM\CurrentControlSet\Services\DNS key so that only system admins have access.