Click here to read Part 2.
So far we've discussed aspects of improving the security of DNS from the perspective of preventing unwanted remote access to DNS across a network. However, even with all of my recommended precautions in place, there is still a possibility of a malicious person gaining access to your DNS server. If that happens, you must rely upon internal DNS security precautions, which include:
- Secure dynamic updates
- DNS resource record registration quotas
- Delegate DNS administration
- Use secured routing
- Maintain a split DNS namespace
- Disable recursion
Obviously, if you can't trust your administrators, then you have a bigger problem to address than securing your DNS against remote attacks. You need to deal with the issues internally first. However, if your administration staff is trustworthy and they are actively supporting the enterprise wide security infrastructure, these six DNS improvements and configurations improve your last line of defense. Let's look at each of these DNS security improvements in more detail.
Secure dynamic updates is the mechanism that requires a user to authenticate themselves and be proven authorized before they are allowed to alter, update, or input DNS information. This prevents unauthorized clients from being able to subvert a DNS system by ignoring falsified DNS registration requests. Without secure dynamic updates, an attacker can insert false data into the zone files. When zone files become corrupted, communications based on false resolutions will be misdirected. This can also enable a form of Denial of Service attack to be waged by allowing the attacker to register an unending stream of false records which will ultimately consume storage space and negatively affect zone replication.
Fortunately, secure dynamic updates are enabled by default on Windows 2000 Server and Windows Server 2003 DNS systems. However, you should verify that it has not been disabled.
DNS resource record registration quotas limit the number of DNS entries a user or process can create, thus eliminating the possibility of a DoS. Setting a limit of 10 maximum registrations for application directory partitions and domain directory partitions is usually effective. Domain controllers and other types of servers may require a larger quota value, of 300 or 400, to allow them to function unhindered. DHCP servers should not have a quota limitation because they are responsible for registering resource records in DNS. Quotas can be managed using the command line tools dsadd, dsmod, and dsquery. For details on these commands, search on them as keywords in the Help and Support Center.
I'll tackle the remaining DNS security improvements in the next two tips.
James Michael Stewart is a partner and researcher for ITinfopros, a technology-focused writing and training organization.
This was first published in July 2004