DNS security best practices to implement now
DNS is a key component in any enterprise network. Auditing DNS servers and encrypting DNS traffic are just two of the steps to take to protect your organization's DNS deployment.
DNS is one of the most critical services on a network. It translates easy-to-remember domain names into difficult-to-remember IP addresses, enabling users and administrators to refer to network resources by name while permitting network nodes to address packets with destination IP addresses. Without DNS, we'd have to use IP addresses to establish and recognize all network resources.
Clearly, such a critical service must be well protected from malicious data, changed information and eavesdropping. Let's examine some DNS security best practices that protect the integrity and privacy of your name resolution services.
Basic DNS server management
The first set of DNS security best practices involve creating a hardened and redundant DNS deployment. Use the following strategies to create a secure baseline that provides a solid platform for additional settings:
- Secure and harden the host server. Harden the host server where the DNS resides. Ensure the DNS service resides on a current OS version that maintains a regular patch schedule. Run only necessary software and services without additional applications that might introduce vulnerabilities.
- Deploy multiple DNS servers. Avoid single points of failure by deploying multiple DNS servers. This redundancy enables client devices to resolve names even if one server is currently unavailable. It's a good practice to place servers near users, so organizations could have DNS servers at branch offices. Use the Dynamic Host Configuration Protocol to provide DNS server settings along with other standard IP address information.
- Regularly audit DNS security settings and logs. Regularly audit DNS server security settings to ensure they are current, align with the organization's security stance and follow new security recommendations. Automated vulnerability scanners can help. Review DNS log files to monitor for unexpected queries, connections or other DNS traffic.
- Control DNS server access. Controlling access to DNS services and resource records is critical. Limit console access to authorized administrators and implement strong authentication methods, including MFA and strong passwords. Follow the principle of least privilege.
- Maintain a strong disaster recovery stance. Maintain a regular backup schedule to protect DNS and configuration information. Implement a standard DNS zone transfer infrastructure alongside this backup plan to ensure all servers contain current name resolution information. This should be part of the organization's larger disaster recovery plan.
Standard DNS server configurations
After hardening the DNS platform, consider the security settings within the DNS service itself. The following best practices specify DNS configurations that help mitigate threats to name resolution:
Implement DNS forwarding
Redirect DNS name resolution requests for external resources to dedicated DNS servers residing in the DMZ. Internal DNS servers resolve internal resources. When queries come through that do not match an internal resource, they are sent to specific DNS servers with direct connectivity to the internet. These name resolution servers in turn resolve IP addresses for internet sites. Not directly exposing internal DNS servers to the internet fortifies their security.
Manage DNS zone transfers
DNS zone transfers keep redundant DNS servers current. The DNS service implementation typically enables administrators to restrict zone transfers to specific IP addresses. Ensure this setting includes only legitimate DNS servers and no additional devices. DNS encryption options, among them Domain Name Security Extensions (DNSSEC), also help secure this process.
Implement Active Directory integrated zones
Windows AD and DNS administrators can integrate DNS zone transfers and DNS updates into the more extensive AD replication process. This option provides additional security for DNS information within AD replication. It also offers multi-master replication of DNS data, eliminating a separate DNS replication topology. AD's replication process also yields greater redundancy and efficiency.
Use DNS filtering to block malicious sites
DNS filters check client domain requests against a blocklist to prevent access to specified sites before name resolution attempts even occur. This effectively stops many threats before they happen -- for example, preventing users from accessing sites containing malware or content that violates the organization's acceptable use policy. Admins can maintain custom blocklists or acquire updated lists from third-party sources.
Implement DNS encryption
Encryption is key to protecting the integrity of DNS data and the confidentiality of client name resolution questions. Organizations have multiple encryption options to consider, including approaches that validate DNS data, such as DNSSEC, or protect client queries, such as DNSCrypt, DNS over TLS (DoT) or DNS over HTTPS (DoH).
- DNSSEC. Modern DNS services offer DNSSEC, which is designed to protect against cache poisoning and spoofing. DNSSEC uses digital signatures to validate the source of DNS data. DNSSEC does not, however, provide data confidentiality or protect DNS name resolution queries.
- DNSCrypt. DNSSEC does not protect client name resolution queries, but the open source DNSCrypt does. It verifies DNS query response sources and confirms responses have not been altered in transit. It also maintains client anonymity.
- DNS over TLS. DoT uses TLS to encrypt name resolution queries between DNS clients and DNS servers to prevent eavesdropping attacks. It also increases privacy by stopping ISPs from logging name resolution queries. Implementing DoT requires some effort but can offer significant benefits. DoT uses TCP port 853, which might require changes to firewall controls.
- DNS over HTTPS. DoH takes a similar approach to DoT, but it encapsulates DNS queries in HTTPS packets. This traffic looks the same as any other HTTPS web communication, effectively hiding it from monitoring tools and eavesdropping. Like regular HTTPS traffic, it relies on the standard TCP Port 443. Both DoT and DoH continue to gain popularity as client platforms add support. DoH offers greater privacy and works with any browser, though it is not quite as efficient as DoT.
Instituting DNS security best practices
It's hard to overestimate the importance of DNS. Without it, network communications would be far more difficult. Various malicious activities threaten name resolution, including unauthorized changes to data and privacy violations. Mitigate these concerns by deploying DNS on hardened servers and defining configurations that match your organization's security requirements. In addition, pay attention to the last mile in the name resolution process by encrypting data between the DNS client and the name resolution servers.
Compare this list of best practices to your DNS infrastructure today to see where to improve your organization's security stance and offer better name resolution services to your clients.
Damon Garn owns Cogspinner Coaction and provides freelance IT writing and editing services. He has written multiple CompTIA study guides, including the Linux+, Cloud Essentials+ and Server+ guides, and contributes extensively to TechTarget Editorial, The New Stack and CompTIA Blogs.
