S 4.352 Secure dynamic DNS updates

Initiation responsibility: Head of IT, IT Security Officer

Implementation responsibility: Administrator

In order to be able to securely use dynamic updates, it must be ensured that only legitimate IT systems may change domain information. Furthermore, it must be specified which domain information may be changed by the individual IT systems. In order to ensure that domain information is not manipulated by unauthorised IT systems with the help of dynamic updates, there are two options:

When restricting using the IP address, the source of the dynamic update is identified using the IP address. When using TSIG, symmetrical encryption is used in order to identify the source of the dynamic update, see also S 4.351 Secure zone transfers.

Along with the susceptibility for IP spoofing, the use of IP addresses entails another problem. Secondary DNS servers may be configured as forwarders for dynamic updates and the primary DNS server may be configured in such a way that it only accepts updates from the secondary DNS servers. Since the IT systems which updates are accepted from are only configured on the secondary DNS servers, it is not disclosed to the primary DNS servers where the updates come from. This way, it is not possible to restrict which hosts may perform dynamic DNS updates based on the original source.

Along with the source identification, it must be configured which domain information may be changed. The rules should be configured in such a way that it is possible to use dynamic updates smoothly. For example, a DHCP server requires the authorisation for changing the assignment of domain names and IP addresses, but there is no reason for allowing a DHCP server to change the responsible DNS server for the zone.

Review questions:

© Federal Office for Information Security. All rights reserved.