S 4.354 Monitoring of a DNS server

Initiation responsibility: IT Security Officer, Head of IT

Implementation responsibility: Administrator

In order to also maintain the security of a DNS server during operations, it is not enough to only rely on careful planning and initial configuration. A series of safeguards must be implemented to enable prompt detection of any problems and security-critical gaps.

The capacity requirements must already be specified during the planning phase. Due to the fact the capacity requirements depend on the

• size of the zone(s),
• number of requests,
• number of recursive requests,
• number of zone transfers,
• number of dynamic updates etc.,

it is difficult to plan the required capacities. Therefore, a DNS server must be monitored regularly regarding its load to adapt the performance capacity of the hardware if necessary. In addition, an increase in the load can be an indication of an ongoing attack.

Any changes made to the configuration must be documented carefully so that it is possible to follow and understand at any time who has made the respective change and for what reason. For changes to the configuration files, a revision control program can be used to facilitate the documentation and to be able to return to the earlier configuration settings (see S 2.25 Documentation of the system configuration).

In addition, the access authorisations of the DNS server in the file system must be checked at regular intervals. This should especially be performed after updating the software or making changes to the configuration.

The administrators must promptly obtain information on any current security gaps existing in the software used (see also S 2.35 Obtaining information on security weaknesses of the system).

The log files of the DNS server as well as of the lower-level operating system should be checked and evaluated at regular intervals. Irregularities in the log files which might indicate potential problems include:

• a high number of requests from certain sources
• a high number of (failed) zone transfers
• a high number of requests regarding certain domain names
• a high number of requests regarding domain names that do not exist
• a high number of recursive requests which are not permitted.

However, irregularities do not necessarily indicate compromising of the server. Often irregularities occur due to incorrect settings.

Secure operations also include additional contingency safeguards to be carried out at regular intervals (see also S 6.139 Creation of a business continuity plan for DNS servers).

Review questions:

• Is the load of the DNS servers checked at regular intervals?
• Are changes made to the configuration of the DNS server documented (automatically)?
• Are the access authorisations of the DNS servers checked regularly?
• Are the administrators informed about current security gaps regarding the DNS server software?
• Are the log files of the DNS server checked regularly?