(This is something I wrote for my company's public newsletter)..Top 10 DNS Infrastructure Best Practices
A corporation's Domain Name System (DNS) Infrastructure plays an integral, but often overlooked role, in the overall security posture of the network environment. Not only should these services be configured securely, they should also be designed to provide a very high level of availability and redundancy.
1. "Split Horizon" DNS
refers to the practice of separating DNS into an external and internal view. This provides a logical separation between the DNS information available to internal network clients and what is made publicly available to the internet at large. DNS store a wealth of information regarding the configuration of a network. Being able to enumerate this information is an invaluable resource for would-be attackers. By separating the publicly available information from that required by internal clients, adds a very critical layer of protection. Split horizon DNS can be accomplished in several methods, but separation on physical devices is the preferred.
in simple terms is the ability of a DNS server to answer client requests for domains which it is not authoritative for. Using a split horizon DNS deployment model, there are two primary sets of DNS servers, internal and external. Internal servers should be configured to perform recursion to service the requests of the internal network clients. However, external DNS servers should be explicitly configured to deny recursion. External DNS servers should solely answer requests for the domains for which they are the authoritative for. Public DNS servers which allow recursion have been recently exploited in as amplification machines in Distributed Denial of Service (DDoS) attacks. Not only does this consume valuable machine and bandwidth resources, but there also could be legal ramifications for an organization whose servers were exploited.
3. DNS by design has the ability to offer a high level of availability and redundancy
. An organization should have two or more primary DNS servers. These devices should be both geographic and carrier diverse
. Having multiple DNS servers in the same physical location on the same internet connection provides very limited redundancy. A single carrier outage or fiber cut can instantly isolate all of your DNS servers. Instead, these should be distributed in across different geographical regions utilizing different internet providers. This can be accomplished by placing the servers in either a remote office, a collocation facility, or utilizing a hosted DNS provider. Ideally an organization should have a minimum of two (2) DNS servers with three (3) being the recommended number.
4.The NS records
for an organization's domain name provide public DNS servers with the information needed to find the authoritative nameservers for that domain. These records are uploaded from your domain registrar to the Top Level Domain (TLD) DNS servers. As changes are made to your DNS infrastructure, its imperative that your NS records updated to reflect these changes.
5. Lame Delegation
is a term that is used to refer to servers that are listed as authoritative for a specific domain but do not answer authoritatively. This can cause delayed responses, increased workload on both an organization's and the TLD DNS servers and is a problem that has plagued the internet for several years now. The extent of this problem can be seen by looking for the "Lame" keyword in the server logs of any active recursive DNS server. This problem can be avoided by keeping the NS and SOA records for your domains accurate and up to date.
6. Zone transfers
are the ability for a slave DNS server to pull records from a master server to a slave. This allows you to host all of your zonefiles on a master machine and have them automatically propagate to slave machines after a change is made. The ability to transfer an entire zonefile for a domain also provides a easy way for would-be attackers to enumerate an organizations network. Because of this DNS servers should be configured to limit zone transfer requested to the IP addresses of designated slave machines.
7. MX records
are the DNS records that allow your organization to receive email. Each domain should have a minimum of two (2) MX records. These records also have a preference number associated with them. The lower numerical value of the preference translates into the higher priority mail gateway. Therefore, if you have two (2) gateways, a primary and a secondary, then the primary would have a MX preference value of ten (10) and the secondary of twenty (20) so that the primary would be the higher priority mail gateway.
8. All MX records should have a corresponding PTR record
. RFC1912 dictates that all mail gateways should have Reverse DNS entries configured. Many mail servers are configured to not accept email from gateways which don't have proper Reverse DNS entries.
9. DNS server versions
often provide a would-be attacker with valuable information about the DNS application running on that machine. Published exploits corresponding to that specific version of the application can quickly be located and launched. For this reason, DNS server versions should be modified to obfuscate the actual running version number.
10. Zone file serial numbers
are used by master DNS servers to inform the salve servers when a zone file has been changed and needs to be transferred. Every time a change is made to the zone file, the serial number should be incremented. If this is not done, DNS zone data can quickly become out of sync, causing enterprise-wide problems.