Server combat: How do enterprises protect DNS servers?

  
                  

Perhaps you haven't forgotten that Baidu was hacked at the beginning of the year, and then it was plagued by Unicom's DNS advertising. When the Internet became an indispensable "living goods" for thousands of households, security was even more important. For enterprises, business secrets, all kinds of data of enterprises are the basis of survival of enterprises, and the security of enterprise servers cannot be ignored. Here is just an effective way to protect DNS servers, because DNS software is often the target of hackers' attacks, and it may bring more security issues.

1.Using DNS Forwarders

DNS Forwarders are DNS servers that perform DNS queries for other DNS servers. The primary purpose of using DNS forwarders is to alleviate the pressure of DNS processing, transferring query requests from the DNS server to the forwarders, and benefiting from potentially larger DNS caches for DNS forwarders.

Another benefit of using a DNS forwarder is that it prevents the DNS server from forwarding query requests from Internet DNS servers. This is very important if your DNS server keeps your internal domain DNS resource records. Instead of having the internal DNS server recursively query and contact the DNS server directly, let it use the forwarder to handle unauthorized requests.

2. Use only buffer DNS server

Only buffer DNS server is for authorized domain name. It is used as a recursive query or using a forwarder. When only the buffered DNS server receives a feedback, it saves the result in the cache and sends the result to the system that made the DNS query request to it. Over time, only buffering DNS servers can collect a lot of DNS feedback, which can greatly reduce the time it takes to provide DNS responses.

Use a buffer-only DNS server as a forwarder to improve your organization's security under your management control. The internal DNS server can only buffer the DNS server as its own forwarder, and only buffer the DNS server to complete the recursive query instead of your internal DNS server. Using your own buffered DNS server as a forwarder can improve security because you don't need to rely on your ISP's DNS server as a forwarder, especially if you can't confirm the ISP's DNS server security.

3. Use DNS advertisers (DNSadvertisers)

The DNS advertiser is a DNS server responsible for resolving queries in the domain. For example, if your host is a publicly available resource for domain.com and corp.com, your public DNS server should configure DNS zone files for domain.com and corp.com.

DNS advertiser settings other than the DNS server hosting the DNS zone file are queries that the DNS advertiser only answers the domain name it authorizes. This kind of DNS server does not perform recursive queries against other DNS servers. This prevents users from using your public DNS server to resolve other domain names. Increased security by reducing the risks associated with running a public DNS resolver, including cache poisoning.

4. Using DNS resolver

The DNS resolver is a DNS server that can perform recursive queries and can resolve to an authorized domain name. For example, you might have a DNS server on your internal network that authorizes the internal network domain name of the internalcorp.com DNS server. When a client on the network uses this DNS server to resolve techrepublic.com, the DNS server performs recursion by querying other DNS servers to obtain an answer.

The difference between a DNS server and a DNS resolver is that the DNS resolver is only for resolving Internet hostnames. The DNS resolver can be a cache-only DNS server with an unauthorised DNS domain name. You can make the DNS resolver only for internal users, you can also make it only for external users, so you don't have to set up a DNS server outside of the way to control, thus improving security. Of course, you can also have DNS resolvers used by both internal and external users.

5. Protecting DNS from cache pollution

DNS cache pollution has become an increasingly common problem. Most DNS servers are able to save DNS query results in the cache before replying to the requesting host. DNS caching can greatly improve the performance of DNS queries within your organization. The problem is that if your DNS server's cache is "contaminated" by a lot of fake DNS information, users may be sent to malicious sites instead of the sites they originally wanted to access.

Most DNS servers are able to prevent cache pollution by configuration. The default configuration state of the Windows Server 2003 DNS server can prevent cache pollution. If you are using a Windows 2000 DNS server, you can configure it, open the Properties dialog of the DNS server, and click on the "Advanced" table. Select the "Prevent cache pollution" option and restart the DNS server.
6. Make DDNS use only secure connections

Many DNS servers accept dynamic updates. The dynamic update feature enables these DNS servers to record the hostname and IP address of a host using DHCP. DDNS can greatly reduce the administrative costs of light DNS administrators, otherwise administrators must manually configure DNS resource records for these hosts.

However, if the undetected DDNS update is updated, it can cause serious security problems. A malicious user can configure the host to become a DNS host record dynamically updated by the file server, web server, or database server. If someone wants to connect to these servers, they will be transferred to other machines.

You can reduce the risk of malicious DNS upgrades by performing a dynamic upgrade by requiring a secure connection to the DNS server. This is easy to do, you only need to configure your DNS server to use Active Directory Integrated Zones (ActiveDirectory IntegratedZones) and require a secure dynamic upgrade. This way, all domain members can update their DNS information securely and dynamically.

7. Disable zone transfer

Zone transfer takes place between the primary DNS server and the secondary DNS server. The primary DNS server authorizes a specific domain name with a rewritable DNS zone file that can be updated as needed. A read-only copy of these zone files is received from the primary DNS server from the DNS server. The DNS server is used to improve the response performance from internal or Internet DNS queries.

However, zone transfers are not just for DNS servers. Anyone who can make a DNS query request may cause a DNS server configuration change that allows zone transfers to dump their own zone database files. Malicious users can use this information to scout naming plans within your organization and attack critical service architectures. You can configure your DNS server, disable zone transfer requests, or allow zone transfers only for specific servers within your organization for security precautions.

8. Use a firewall to control DNS access

A firewall can be used to control who can connect to your DNS server. For DNS servers that only respond to internal user query requests, the firewall should be configured to prevent external hosts from connecting to these DNS servers. For DNS servers that act as cache-only forwarders, the firewall configuration should be set to allow only those query requests from DNS servers that only cache forwarders. An important point of firewall policy settings is to prevent internal users from connecting to external DNS servers using the DNS protocol.

9. Establish access control in the DNS registry

In Windows-based DNS servers, you should set access control in the DNS server-related registry, so that only those who need to access The account can read or modify these registry settings.

The HKLMCurrentControlSetServicesDNS key should only allow access by administrators and system accounts, which should have full control.

10. Set access control in the DNS file system entry

In the Windows-based DNS server, you should set the access control in the file system entry of the DNS server, so that only the account that needs to be accessed You can read or modify these files.

The %system_directory%DNS folder and subfolders should only allow access to the system account, and the system account should have full control.

Copyright © Windows knowledge All Rights Reserved