S 2.451 Planning the use of DNS

Initiation responsibility: IT Security Officer, Head of IT

Implementation responsibility: IT Security Officer

A basic requirement for the secure use of DNS servers is appropriate advance planning. For this, a concept must be drawn up at first that should contain information on how the DNS is to be designed and which domain information is worthy of protection, amongst other information. Not only the aspects classically associated with the term "security" need to be planned, but also normal operating aspects that may lead to requirements in the area of security. Safeguard S 2.450 Introduction to DNS basics provides information on the design and the basic structure of DNS.

Selecting the hardware

The hardware a DNS server is to be operated on has decisive influence on the overall performance of the system to be built. In this regard, it must be considered how many requests a DNS server receives on average, whether or not it is a resolving DNS server accepting recursive requests, or whether or not it is an advertising DNS server only accepting iterative requests, and whether or not the use of DNSSEC (DNS Security Extensions) is planned.

For DNS servers, an adequate extension of the main memory is important so that the server does not have to outsource storage content to the hard disk, which would result in increased response times. If DNSSEC is used, it must absolutely be ensured that the processor speed is increased accordingly in order to maintain appropriate throughput during cryptographic operations. The capacities for main memory and processor speed selected during the planning phase must be checked during operations, since the capacities actually required can only be determined accurately during live operations.

Visibility of the domain information

A DNS server administrates the information for its authoritative zones. Some of these zones are intended for the public, e.g. the IP address of a web server or email server. However, part of the domain information refers to the internal structure of the organisation's network. This information may often provide details on the function or the location of the corresponding network components. Therefore, the visibility of this domain information should be restricted with the help of a differentiation between advertising and resolving DNS servers, as described in the "separate DNS servers" section below.

The name space of an information system should be divided into a public and an organisation-internal area. The public part should only contain such domain information (normally the IP address or the host name) required for the smooth functioning of services that are to be available from the outside. Normally, these include:

• web servers
• email servers
• DNS servers
• VPN connection points

Within the organisation, the visibility of the information does not have to be restricted in the majority of cases. The domain information visible to the outside and the information not visible to the outside must be taken into consideration when planning the use of DNS.

Separate DNS servers

DNS servers are differentiated according to their tasks, wherein there are two basic types as a matter of principle:

• advertising DNS server
• resolving DNS server

The task of advertising DNS servers is usually to process requests from the internet. Resolving DNS servers, however, process requests from the internal network. Since these two tasks differ, they must be separated. Therefore, it is recommendable to use separate physical servers for advertising and resolving DNS servers in each case. The advertising DNS server administrates the domain information available from external sources and only supports iterative requests; the resolving DNS server administrates the internally visible information and supports both iterative and recursive requests.

If the time and expense required for separating the advertising from the resolving DNS server is too high or if this is not possible due to technical reasons, more simple configurations may be used, if required. A BIND DNS server offers the option of defining different views to the domain information. In this case, a DNS server may administrate a view for requests from the internal network of an organisation providing all domain information of an information system. This is the resolving DNS server. The second view for requests originating from the internet only contains a part of the domain information classified as being public during classification. This is the advertising DNS server. This design offers a lower level of security when compared to two separate DNS servers and whether the higher risk is acceptable must be considered on a case-by-case basis.

Location of the DNS servers in the network

The location of the DNS servers depends on the network infrastructure of the respective organisation. However, some basic rules must be adhered to:

• Primary and secondary DNS servers must be located in different IP subnets. Furthermore, they must not be connected to the same network switching element. This way, the availability of the name resolution function is not affected adversely in the event of a failure of an IP subnet or a network switching element, see also T 1.2 Failure of the IT system.
• Advertising DNS servers should be located in the demilitarised zone (DMZ). More information in this regard can be found in module S 3.1 Security gateway (firewall).
• Resolving DNS servers are responsible for requests of the organisation's internal systems. Therefore, these servers should be located within the trustworthy network of the organisation as close as possible to the requesting IT systems in order to avoid long response times and unnecessary network loads. Furthermore, resolving DNS servers must not be available from external IT systems.
• If the visibility of the information is restricted, the public part of the domain information should be administrated by the advertising DNS server in the DMZ.
• If a forwarder is used for resolving the internet domain name space for the internal name servers, this forwarder should not be located within the internal network.
• If caching-only DNS servers are used in the organisation's internal network, the resolvers on the clients should not buffer any domain information. Buffering is performed by the caching-only DNS server. The number of requests is minimised with the help of the central memory. Furthermore, the central cache of the caching-only DNS server can be deleted easily in order to remove the falsified information in the event of a successful cache poisoning attack.
• In information systems, security gateways are used as standard today. In order to accept DNS network traffic, corresponding rules must be configured on the security gateways and packet filters, described in S 4.98 Restricting communication to a minimum with packet filters or in S 5.118 Integration of a DNS server into a security gateway. During the planning phase, it should be ensured that the lowest number of routes and ports need to be opened.

An exemplary distribution of the DNS servers in combination with security gateways and packet filters is described in S 5.118 Integration of a DNS server into a security gateway.

Resolver

Resolvers are integrated into the commonly used operating system as standard and therefore do not have to not be selected and procured separately. However, it should be ensured that the resolvers of the internal IT systems use the internal resolving DNS servers for name resolution. They should in no case query external DNS servers by default. Additionally, the DNS suffixes used by the resolvers should also be defined, e.g. ""bsi.bund.de". As a result, the rest of the domain name is automatically completed to become the Fully Qualified Domain Name (FQDN) "hostx.bsi.bund.de." when resolving the name of "hostx".

Administration of domain names

During the planning phase, the responsibilities for administrating the internet domain names should be defined. The person responsible must ensure that the safeguards are adhered to, as described in S 2.298 Administration of Internet domain names.

Review questions:

• Are separate DNS servers used for the requests from the organisation's internal and external IT systems?
• Has the visibility of domain information been restricted?
• Is there a plan for integrating the DNS servers into the network of the information system?
• Do the resolvers of the internal hosts use the internal resolving DNS servers for name resolution?
• Is there a person responsible for administrating the internet domain names?
• Has it been ensured that the necessary capacities are provided with regard to the DNS server hardware?