COMMENT
G
Detailed audit logging – This enables
compliance and control over server
configurations and operations
iven that DNS servers are
mission-critical infrastructure, it
is crucial that they continue to
respond to queries even when they are
under attack. When designing a DNS
infrastructure, it is important to build an
environment that is not only sufficient
for current needs, but also provides room
for future growth. In addition, while
architecting the DNS, it is also important
to understand the security threats the
DNS might be vulnerable to.
Securing the DNS platform
against hacking
Hacking of DNS servers is becoming
more prevalent every day. Conventional
DNS servers have multiple attack
surfaces and extraneous ports such as
port 80 and port 25 that are open for
attack. Hackers can use these ports to
access the operating system (OS) and
hack the servers. If an enterprises’ DNS
servers don’t support tiered security
privileges, any user could potentially gain
access to OS-level account privileges and
cause configuration changes that could
make the servers vulnerable to hacks.
In order to protect DNS services from
various hacks, DNS servers should be
secured in the following ways:
Hardened appliance with minimal
attack surface – The infrastructure
should not have any extra or unused
ports to access server or power external
devices (e.g. Wi-Fi) and no root login
access within operating system. It should
have role-based access to maintain
overall control
Secured access methods – There
should be two-factor authentication
for secured login access, web and API
access should use encryption to secure
communication and DNS TSIG keys
should be used for strong authentication
of DNS updates
CHERIF SLEIMAN, GENERAL
MANAGER, MIDDLE EAST AT
INFOBLOX
Defending against DNS attacks
Another consideration is the protection
of the DNS infrastructure from external
attacks. Authoritative DNS servers
are reachable from the internet. Even
though the server sits behind a firewall,
most of these attacks cannot be
mitigated by typical firewalls. Firewalls
are ill-prepared to protect DNS against
application-layer attacks.
High availability and disaster recovery
– Simple, configurable fail-over and failback to ensure service availability
The ones that do, the so-called NextGen
firewalls, tend to have very little coverage
for DNS protocols. These solutions
typically spread their security policies
across a large number of protocols and
sacrifice depth for breadth of coverage.
Simple, unified updates for OS
and applications – Updates for
both the OS and applications should
be accomplished in a single process
to reduce downtime and risk of
incompatibility
Security certification by an accepted
industry organisation – External
validation of security measures must
be taken on hardware, applications/
OS, and manufacturing process. The bar
should be set at a minimum of Common
Criteria EAL2 certification, which covers
verification of hardware, software and
manufacturing processes
Simple DNSSEC implementation –
DNSSEC reduces the risk of attacks like
cache poisoning. It should be simple
to implement and self-manage the
updating of encryption keys between
servers
Secure Forwarder Configuration –
Restrict queries to DNS Forwarder servers
to those sent by authorized addresses
There are a whole spectrum of attacks
that can target DNS:
Dos/DDoS – Send 10s or 100s of
thousands of queries per second to the
DNS server in order to exhause resour