In last week's tip, I covered the first two DNS security precautions from the list below:
- Secure dynamic updates
- DNS resource record registration quotas
- Delegate DNS administration
- Use secured routing
- Maintain a split DNS namespace
- Disable recursion
The next two DNS security improvements are delegating DNS administration and using secured routing.
The zone containers used to store DNS information have pre-defined access restricted. You should evaluate the current state of the ACLs on these containers to ensure they represent the most secured configuration possible for your specific environment. Users need only read access to zone information. By default, full access to all DNS elements is assigned to Administrators, Domain Admins, Enterprise Admins, and DNS Admins. All others have read access assigned by default.
Using secure routing options is another important issue to consider. Queries may be received by a DNS server through various means. They may be routed through conditional forwarding, sent from secondary zones, or via a root hint. Depending on the placement of DNS servers and firewalls in your network, different configurations are needed.
When two AD namespaces managed by different DNS servers are separated by a firewall, access is only needed into the domain that hosts the DNS server acting as a forwarded. Otherwise, if secondary zones or delegated zones are used across the firewall, then two-way DNS communication is necessary.
Making a choice between secondary zones and forwarding is not easy and straightforward. Secondary zone information is not stored in AD. Instead, it is stored in a text file. This exposes secondary zone DNS configuration to attack. Forwarding does not store data in text files, however it will increase name resolution traffic on your network. Forwarders also slightly reduce the fault tolerance of your overall DNS infrastructure. The reduction in fault tolerance is based upon the notion that you will rely upon forwarders which do not include redundant copies of the DNS data instead of true DNS servers which do provide redundancy by maintaining a copy of the DNS data set. Also, forwarders forward DNS queries that are not locally resolvable from its cache (i.e. a storage area of previously resolved queries) to a single specific DNS server. If that one DNS server is offline or unavailable, forwarding fails as well.
If you host a DNS root internally, configure the root hints of all DNS servers in your domain to point only to your internal DNS root. Do not allow them to point to public Internet DNS root servers. Otherwise, this would allow your private information to be sent over the Internet when external DNS is used for resolution.
I'll tackle the final two DNS security improvements in the next tip.
James Michael Stewart is a partner and researcher for ITinfopros, a technology-focused writing and training organization.
This was first published in August 2004