Common threats to DNS servers include:

Denial-of-service (DoS) attacks: DoS attacks occur when DNS servers are flooded with recursive queries in an attempt to prevent the DNS server from servicing legitimate client requests for name resolution. A successful DoS attack can result in the unavailability of DNS services, and in the eventual shut down of the network.

Footprinting: Footprinting occurs when an intruder intercepts DNS zone information. When the intruder has this information, the intruder is able to discover DNS domain names, computer names, and IP addresses which are being used on the network. The intruder then uses this information to decide on which computers he/she wants to attacks.

IP Spoofing: After an intruder has obtained a valid IP address from a footprinting attack, the intruder can use the IP address to send malicious packets to the network, or access network services. The intruder can also use the valid IP address to modify data.

Redirection: A redirection attack occurs when an intruder is able to make the DNS server forward or redirect name resolution requests to the incorrect servers. In this case, the incorrect servers are under the control of the intruder. A redirection attack is achieved by an intruder corrupting the DNS cache in a DNS server that accepts unsecured dynamic updates.

Understanding the DNS Security Levels

Microsoft has defined three basic levels of DNS security (guidelines) to assist you in implementing a DNS security strategy for a Windows Server 2003 DNS infrastructure.

  • Low-level security: Low-level security should be used when there is no threat to DNS data being intercepted. Microsoft describes low-level security as being the default configuration settings when Windows Server 2003 DNS is installed.

The characteristics of the low-level security configured on DNS servers are:

  • The DNS infrastructure and namespace is completely open to, and exposed to the Internet.
  • Port 53 is open on your firewall for source and destination addresses.
  • The DNS servers in your DNS environment all use standard DNS name resolution.
  • The DNS servers are configured with root hints that point to the root servers for the Internet.
  • DNS servers that have multiple IP addresses are configured to listen for DNS queries on all interfaces.
  • The DNS servers are allowed to transfer zone data to any server that requests a copy of zone data.
  • All your DNS zones can accept dynamic updates from DNS clients. Dynamic updates is allowed on the DNS server, and clients are free to update their own resource records at any time.
  • The configuration setting which prevents cache pollution is disabled on your DNS servers.
  • Medium-level security: The medium-level security configuration provides more protection than what low-level security offers. In medium-level security, zone data can be stored in primary and secondary zone files. However, the Active Directory security features which are available when Active Directory-integrated zones are used are not available with the medium level of DNS security.

The characteristics of the medium-level security configured on DNS servers are:

  • The DNS infrastructure and DNS namespace’s exposure to the Internet is limited. Specified traffic is permitted to and from the DNS server.
  • DNS zone transfer is limited to only the DNS servers which are listed in the NS records for the particular zone(s) being transferred. The list can be viewed on the Name Servers tab.
  • DNS zones do not accept dynamic updates.
  • The internal DNS servers are specified to utilize a defined list of forwarders.
  • DNS servers that have multiple IP addresses are set up to listen for DNS queries on only specific IP addresses.
  • The default configuration setting which prevents cache pollution is enabled on your DNS servers.
  • Internet DNS root hints only exist on the DNS servers external to your firewall.
  • The only external DNS servers allowed to communicate with your internal DNS servers are those DNS servers for which you have authority.
  • High-level security: The high-level security configuration has the same characteristics as those offered by the medium-level security configuration, but high-level security includes additional security enhancements. The main difference between the two DNS security levels is that the high-level security configuration includes a DNS server and a domain controller. DNS zone information is stored in Active Directory.

The characteristics of the high-level security configured on DNS servers are:

  • Your internal DNS servers do not communicate with Internet servers.
  • A private internal root namespace is implemented, and is authoritative for all DNS zones.
  • The DNS servers are hosted on domain controllers.
  • The DNS zone type configured for zones is Active Directory-integrated zones. Only authorized users are able to create, delete, and change the DNS zones.
  • DNS zone transfer is limited to specific IP addresses.
  • The resource records stored in Active Directory-integrated zones have DACLs that only enable certain users to create, delete, and change zone data.
  • The only dynamic updates allowed are secure dynamic updates. This means that zone data have to be stored in Active Directory.
  • The root hints file for internal DNS servers point only to internal DNS servers that contain host root information for the internal namespace.
  • The DNS servers are configured to listen for DNS queries on only a specific set of IP addresses.

Understanding the DNS Security Extensions Protocol

The DNS Security Extensions (DNSSEC) protocol consists of a number of extensions to DNS that make it possible for resource records to be authenticated. The DNS Security Extensions (DNSSEC) protocol works by using public key cryptography with digital signatures. It provides the means for the party that requested information or resource records to authenticate the source of that specific information. The DNSSEC protocol was designed to provide protection to the Internet from specific types of attacks. The protocol can verify that a query response can be tracked back to a source that is considered trusted. With DNSSEC, each DNS zone has a public and private key pair. The key pair is used to encrypt and decrypt digital signatures.In addition to the key pair, DNSSEC uses the following records:

  • NXT key: Creates a series of certificate owners.
  • KEY record: Stores the public key information for a DNS zone.
  • SIG record: Store a digital signature that is associated with a set of records.

The process that occurs to resolve queries when DNSSEC is used is outlined below:

  1. The resolver queries the root server to determine the DNS server that is authoritative for the specific zone. The resolver also needs to determine the public key for the specific zone. For the query, the resolver uses the public key of the root server.
  2. Next, the resolver sends the query to the DNS server that is authoritative for the specific zone.
  3. When the authoritative DNS server obtains the query, it sends the requested information (resource record) to the resolver with the SIG record that is associated with the specific zone.
  4. When the resolver obtains the resource record and accompanying SIG record, it uses the public key to authenticate the resource records.
  5. The information received from the authoritative DNS server is accepted if the resolver is able to authenticate the resource record and SIG.
  6. The information received from the authoritative DNS server is discarded if the resolver is unable to authenticate the resource record an SIG.

DNS Security Recommendations for an External DNS Implementation

The DNS security recommendations for an external DNS implementation are summarized below:

  • You should harden your DNS servers, and also place these servers in a DMZ or in a perimeter network.
  • Ensure that access rules and packet filtering is defined on your firewalls to control both source and destination addresses and ports.
  • Install all the latest service packs on your DNS servers, and remove all unnecessary services from these servers.
  • Try to eliminate all single points of failure.
  • It is recommended to host your DNS servers on different subnets. Also ensure that your DNS servers have different configured routers.
  • Ensure that zone transfer is only allowed to specific IP addresses.
  • Secure zone transfer data by using VPN tunnels or IPSec.
  • You can use a stealth primary server to update secondary DNS servers which are registered with ICANN.
  • The following recommendations exist for Internet facing DNS servers:
    • Disable recursion
    • Disable dynamic updates
    • Enable protection against cache pollution
  • Monitor your DNS logs. DNS logging is enabled by default. The DNS service generates DNS logging information that you can use to monitor for attacks on your DNS servers. To view DNS logging information:
  • 1. Click Start, Administrative Tools, and then click DNS to open the DNS console.
  • 2. In the console tree, expand Event Viewer.
  • 3. Click DNS Events, to display the DNS logging information in the details pane of the DNS console.

DNS Security Recommendations for an Internal DNS Implementation

The DNS security recommendations for an internal DNS implementation are summarized below:

  • Try to eliminate all single points of failure.
  • You should never permit access to your internal DNS servers from the Internet.
  • Use Active Directory-integrated zones so that zone data is stored in Active Directory and Active Directory replication is used to replicate zone data between DNS servers. Zones that store their data in Active Directory can use the security features provided by Active Directory.
  • Ensure that only secure updates are allowed on your Active Directory-integrated zones.
  • You should limit the number of DNS servers that are allowed to receive zone transfer data.
  • If you want to increase security for your internal DNS infrastructure, you should use a separate, internal namespace.

Managing DACLs on DNS servers Configured as Domain Controllers

When DNS servers are configured as domain controllers, you can use DACLs to control permissions for Active Directory users and groups for the DNS Server service. It is recommended to limit and change the default users and groups, and their associated permissions for the DNS Server service to only those users and groups, and permissions that are necessary.The DACL of a DNS server configured as a domain controller can be managed through:

  • The Active Directory object
  • The DNS console

The default users and groups, and their associated permissions which are created for DNS servers running as a domain controller:

  • Enterprise Admins: Full Control, Read, Write, Create All Child objects, and Delete Child objects.
  • Enterprise Domain Controllers: Special Permissions.
  • System: Full Control, Read, Write, Create All Child objects, and Delete Child objects
  • Domain Admins: Full Control, Read, Write, Create All Child objects, and Delete Child objects.
  • DnsAdmins: Full Control, Read, Write, Create All Child objects, and Delete Child objects.
  • Administrators: Read, Write, Create All Child objects, and Special Permissions.
  • Authenticated Users: Read, and Special Permissions.
  • Creator Owner: Special Permission
  • Pre-Windows 2000 Compatible Access: Special Permissions

Managing DACLs on DNS Zones Stored in Active Directory

It is recommended to limit and change the default users and groups and their associated permissions for DNS zones to only those users and groups, and permissions that are necessary.The default users and groups, and their associated permissions which are created for DNS zones stored in Active Directory are:

  • Enterprise Admins: Full Control, Read, Write, Create All Child objects, and Delete Child objects.
  • Enterprise Domain Controllers: Full Control, Read, Write, Create All Child objects, Delete Child objects, and Special Permissions
  • System: Full Control, Read, Write, Create All Child objects, and Delete Child objects
  • Domain Admins: Full Control, Read, Write, Create All Child objects, and Delete Child objects
  • DnsAdmins: Full Control, Read, Write, Create All Child objects, and Delete Child objects.
  • Administrators: Read, Write, Create All Child objects, and Special Permissions.
  • Authenticated Users: Create All Child objects
  • Everyone: Read, and Special Permissions
  • Creator Owner: Special Permissions
  • Pre-Windows 2000 Compatible Access: Special Permissions

Managing DACLs on DNS Resource Records in Active Directory

If DNS is integrated with Active directory, you can manage the DACLs on the DNS resource records. It is important to limit both user and group permissions to only those permissions which are necessary.The default users and groups, and associated permissions on resource records in Active Directory are listed below:

  • Enterprise Admins: Full Control, Read, Write, Create All Child objects, and Delete Child objects.
  • Enterprise Domain Controllers: Full Control, Read, Write, Create All Child objects, Delete Child objects, and Special Permissions
  • System: Full Control, Read, Write, Create All Child objects, and Delete Child objects
  • Domain Admins: Full Control, Read, Write, Create All Child objects, and Delete Child objects
  • DnsAdmins: Full Control, Read, Write, Create All Child objects, and Delete Child objects.
  • Administrators: Read, Write, Create All Child objects, and Special Permissions.
  • Authenticated Users: Create All Child objects
  • Everyone: Read, and Special Permissions
  • Creator Owner: Special Permissions
  • Pre-Windows 2000 Compatible Access: Special Permissions

How to secure DNS servers

The methods which you can use to secure DNS servers:

  • If you are using DNS zone files to store zone data, change the zone file permissions or the folder’s permissions that stores the zone files to only allow Full Control to the System group.
  • The DNS registry keys stored in HKEY_LOCAL_MACHINESystemCurrentControlSetServicesDNS should be secured as well.
  • If you have a DNS server that is not configured to resolve Internet names, you should configure the root hints to point to those DNS servers hosting the root domain.
  • If you have a DNS server that is not configured with forwarders, and the DNS server does not respond to any DNS clients directly, then it is recommended that your disable recursion for the DNS server.
  • Configure the Secure cache against pollution option to protect the DNS server from an intruder that might be attempting to pollute the DNS cache with the incorrect information.
  • Limit the number of IP addresses that the DNS server listens to for DNS queries

How to configure the root hints to point to those DNS servers hosting the root domain

  1. Click Start, Administrative Tools, and then click DNS.
  2. In the console tree, right-click the DNS server that you want to configure, and then select Properties to open the DNS Server’s Properties dialog box.
  3. Click the Root Hints tab.
  4. If yo want to add a root server, then click the Add button and enter the name and IP address of the list.
  5. If you want to edit an existing root server, then click the Edit button.
  6. If you want to copy root hints from the DNS server, click the Copy From Server button.
  7. If you want to remove an existing root server, select the root server, and then click the Remove button.
  8. Click OK.

How to disable recursion

  1. Click Start, Administrative Tools, and then click DNS to open the DNS console.
  2. In the console tree, right-click the DNS server that you want to disable recursion for, and then click Properties from the shortcut menu.
  3. When the DNS server Properties dialog box opens, click the Advanced tab.
  4. In the Server Options list, click the Disable Recursion checkbox.
  5. Click OK.

How to configure the Secure cache against pollution option

  1. Click Start, Administrative Tools, and then click DNS.
  2. In the console tree, right-click the DNS server that you want to configure, and then select Properties to open the DNS Server’s Properties dialog box.
  3. Click the Advanced tab.
  4. In the Server Options list, click the Secure Cache Against Pollution checkbox.
  5. Click OK.

How to limit the number of IP addresses that the DNS server listens to for DNS queries

  1. Click Start, Administrative Tools, and then click DNS.
  2. In the console tree, right-click the DNS server that you want to configure, and then select Properties from the shortcut tab
  3. Click the Interfaces tab.
  4. Select the Only the following IP addresses option.
  5. Specify the IP addresses that the DNS server should listen to in the IP Address field.
  6. Click OK.

How to enable secure dynamic updates

  1. Click Start, Administrative Tools, and then click DNS to open the DNS console.
  2. In the console tree, right-click the DNS zone that you want to configure, and then select Properties from the shortcut menu.
  3. Verify that the zone type configured for the zone on the General tab is Active Directory-integrated zone.
  4. In the Dynamic Updates drop-down list box, select the Secure only option
  5. Click OK.

How to limit zone transfers

  1. Click Start, Administrative Tools, and then click DNS to open the DNS console.
  2. In the console tree, right-click the DNS zone that you want to configure, and then select Properties from the shortcut menu.
  3. When the DNS Zone’s Properties dialog box pens, click the Zone Transfer tab.
  4. If you want to disable zone transfers, uncheck or clear the Allow Zone Transfers checkbox.
  5. If you want to allow zone transfer, select the Allow Zone Transfers checkbox.
  6. It is strongly recommended to not select the To Any Server option because zone transfers would be allowed to any server that requests a copy of zone data.
  7. The Only To Servers Listed On The Name Servers Tab option only provides medium-level DNS security.
  8. It is recommended to select the Only To The Following Servers option which provides the most security.
  9. After selecting the Only To The Following Servers option, specify which DNS servers, based on IP addresses, can request zone transfers.
  10. Click OK.

Related Articles on DNS