S 3.73 Training the administrators of a DNS server

Initiation responsibility: IT Security Officer, Head of IT

Implementation responsibility: IT Security Officer

In order to correctly and securely administrate the DNS server, the administrators responsible must be trained accordingly. Even minor configuration errors may result in the creation of security-critical gaps. Profound expert knowledge is particularly required for carefully planning the use of a DNS server and for restricting the communication to legitimate subscribers.

Along with the general operating system security aspects, as described in S 3.102 Servers in Unix or S 3.8 Windows Server 2003, for example, the following items are important:

• installation of the DNS server
• options for integrating the DNS server into the start process of the operating system
• introduction to potential threats in order to create a basic understanding in terms of attack modes
• creation of a role concept both for the configuration rights by the administrators and for the rights of the DNS server process
• difference between advertising and resolving DNS servers
• configuration options of the DNS server
• mechanisms for securing requests
• mechanisms for securing zone transfers
• mechanisms for securing dynamic updates (if applicable)
• potential applications and configuration of DNSSEC
• mechanisms for ensuring the availability of DNS servers
• mechanisms for backing up the zone information
• Is there sufficient budget for the training measures?

Review questions:

• Have the administrators been trained accordingly as to how to handle DNS servers and are the administrators familiar with the security-relevant aspects, thus?