S 4.350 Secure basic configuration of a DNS server
Initiation responsibility: Head of IT, IT Security Officer
Implementation responsibility: Administrator
DNS servers are attractive targets for attackers. By manipulating DNS servers, it is possible to influence all services using DNS. For example, web servers, email servers, remote administration applications, and such like can be influenced by manipulating domain information. For this reason, it is absolutely necessary to carefully configure the DNS servers.
Restriction of rights
A DNS server process should only be provided with the minimum required rights in order to minimise the potential consequences in the event of a successful attack to the process. If technically feasible, a separate user and a separate user group should be created for the DNS server process. The user is only granted rights to the file needed. If the DNS server is started automatically during system start, the automated call must be designed in such a way that the DNS server process starts with the designated user and group.
DNS server version
The version of the DS server product used may provide an attacker with valuable information. All vulnerabilities in the DNS server product BIND published to date can be found at http://www.isc.org/sw/bind/bind-security.php, for example. For this reason, the version number should never be displayed, but should be replaced by "unknown", for example. This safeguard does not directly increase the level of security of a DNS server, but makes it more difficult for an attacker to obtain information.
Requests
There is an increased risk of cache poisoning attacks if DNS servers accept requests unconditionally. Therefore, it is important to restrict the accepted requests.
Resolving DNS servers are responsible for requests from resolvers from the organisation's network, which are normally recursive requests. This means that resolving DNS servers must accept recursive requests from the internal network. Requests originating from the Internet should not be accepted, since the advertising DNS server is responsible for this.
Requests originating from the Internet should always be dealt with iteratively: Thus, the advertising DNS server only provided information about the zones it administrates and is not able to send any falsified responses.
In order to increase the level of security of resolving DNS servers, another mechanism should be used. As already mentioned, resolving DNS servers must accept recursive requests from the organisation's internal IT systems. Therefore, resolving DNS servers must inevitably resolve names they are not authoritative for. An attacker might implant falsified information at this point. The responses are assigned to the requests using:
- IP address
- request ID (random number)
- source port of the request
Since IP address and ID provide for insufficient levels of protection, random source ports should be used additionally when sending requests. Currently, the method used is to configure and randomise several IP addresses for resolving DNS servers.
Zone transfers
The reason and goal of zone transfers is to synchronise the primary DNS server and the secondary DNS server/s. The primary DNS server reads the domain information from the zone files and a zone transfer is used to transmit this information to the secondary DNS server/s and to synchronise it. Zone transfers should only be possible between the primary DNS server and the secondary DNS servers of a domain, see also S 4.351 Secure zone transfers.
Excluding certain DNS servers
If DNS servers delivering falsified domain information are known, you must prevent your own resolving DNS servers from sending requests to these DNS servers.
If private IP networks such as 10/8, 172.16/12, and 192.168/16 are not used in the organisation, requests from these networks should be ignored due to reasons of security.
Review questions:
- Have the rights of the DNS server process been restricted to the minimum extent required?
- Are only authorised hosts allowed to make recursive DNS requests?
- Can zone transfers only be performed between primary and secondary DNS servers?