10 ways to protect DNS

1. Using DNS Forwarders

DNS Forwarders are DNS servers that perform DNS queries for other DNS servers. The primary purpose of using DNS forwarders is to alleviate the pressure of DNS processing, transferring query requests from the DNS server to the forwarders, and benefiting from potentially larger DNS caches for DNS forwarders.

Another benefit of using a DNS forwarder is that it prevents the DNS server from forwarding query requests from Internet DNS servers. This is very important if your DNS server keeps your internal domain DNS resource records. Instead of having the internal DNS server recursively query and contact the DNS server directly, let it use the forwarder to handle unauthorized requests.

2. Use only buffer DNS server

Only buffer DNS server is for authorized domain name. It is used as a recursive query or using a forwarder. When only the buffered DNS server receives a feedback, it saves the result in the cache and sends the result to the system that made the DNS query request to it. Over time, only buffering DNS servers can collect a lot of DNS feedback, which can greatly reduce the time it takes to provide DNS responses.

Use only the buffered DNS server as a forwarder. Under your management control, you can improve your organization's security. The internal DNS server can treat the DNS server only as its own forwarder, and only buffer the DNS server to complete the recursive query instead of your internal DNS server. Using your own buffered DNS server as a repeater can improve security because you don't need to rely on your ISP's DNS server as a forwarder, especially if you can't confirm the ISP's DNS server security.

3. Using DNS advertisers

The DNS advertiser is a DNS server responsible for resolving queries in the domain. For example, if your host is a publicly available resource for domain.com and corp.com, your public DNS server should configure DNS zone files for domain.com and corp.com.

A DNS advertiser setting other than the DNS server hosting the DNS zone file is a query that the DNS advertiser only answers the domain name it authorizes. This kind of DNS server does not perform recursive queries against other DNS servers. This prevents users from using your public DNS server to resolve other domain names. Increased security by reducing the risks associated with running a public DNS resolver, including cache poisoning.

4.Using DNS resolver

The DNS resolver is a DNS server that can perform recursive queries and can resolve to an authorized domain name. For example, you might have a DNS server on your internal network that authorizes the internal network domain name of the internalcorp.com DNS server. When a client on the network uses this DNS server to resolve techrepublic.com, the DNS server performs recursion by querying other DNS servers to obtain an answer.

The difference between a DNS server and a DNS resolver is that the DNS resolver is only for resolving Internet hostnames. The DNS resolver can be a cache-only DNS server with an unauthorised DNS domain name. You can make the DNS resolver only for internal users, and you can also make it only serve external users, so you don't have to set up a DNS server outside of the way you can't control it, which improves security. Of course, you can also have DNS resolvers used by both internal and external users.

5. Protecting DNS from cache pollution

DNS cache pollution has become an increasingly common problem. Most DNS servers are able to save DNS query results in the cache before replying to the requesting host. DNS caching can greatly improve the performance of DNS queries within your organization. The problem is that if your DNS server's cache is "pollution" with a lot of fake DNS information, users may be sent to malicious sites instead of the sites they originally wanted to access.

The vast majority of DNS servers are able to prevent cache pollution by configuration. The default configuration state of the Windows Server 2003 DNS server prevents cache pollution. If you are using a Windows 2000 DNS server, you can configure it, open the Properties dialog of the DNS server, and click on the "Advanced" table. Select the "Prevent cache pollution" option and restart the DNS server.

6. Make DDNS use only secure connections

Many DNS servers accept dynamic updates. The dynamic update feature enables these DNS servers to record the hostname and IP address of a host using DHCP. DDNS can greatly reduce the administrative expenses of DNS administrators, otherwise administrators must manually configure the DNS resource records of these hosts.

However, undetected DDNS updates can pose serious security issues. A malicious user can configure the host to become a DNS host record that is dynamically updated by a file server, web server, or database server. If someone wants to connect to these servers, they will be transferred to other machines.

You can reduce the risk of malicious DNS upgrades by performing a dynamic upgrade by requiring a secure connection to the DNS server. This is easy to do, you only need to configure your DNS server to use Active Directory Integrated Zones and require a secure dynamic upgrade. In this way, all domain members can update their DNS information securely and dynamically.

7.Disable zone transfer

A zone transfer takes place between the primary DNS server and the secondary DNS server. The primary DNS server authorizes a specific domain name with a rewritable DNS zone file that can be updated as needed. A read-only copy of these zone files is received from the primary DNS server from the DNS server. The DNS server is used to improve the response performance from internal or Internet DNS queries.

However, zone transfers are not just for DNS servers. Anyone who can make a DNS query request may cause a DNS server configuration change that allows zone transfers to dump their own zone database files. Malicious users can use this information to scout naming plans within your organization and attack critical service architectures. You can configure your DNS server, disable zone transfer requests, or allow only zone transfers to specific servers within your organization for security precautions.

8. Using a firewall to control DNS access

Firewall can be used to control who can connect to your DNS server. For DNS servers that only respond to internal user query requests, the firewall should be configured to prevent external hosts from connecting to these DNS servers. For DNS servers that act as cache-only forwarders, the firewall configuration should be set to allow only those query requests from DNS servers that only cache forwarders. An important point in firewall policy settings is to prevent internal users from connecting to external DNS servers using the DNS protocol.

9. Establish access control in the DNS registry

In the Windows-based DNS server, you should set access control in the DNS server-related registry, so that only those who need to access The account can read or modify these registry settings.

The HKLM\\CurrentControlSet\\Services\\DNS key should only allow access by administrators and system accounts, and these accounts should have full control.

10. Setting access control in the DNS file system entry

In the Windows-based DNS server, you should set the access control in the file system entry of the DNS server, so that only the account that needs to be accessed You can read or modify these files.

%system_directory%\\DNS folders and subfolders should only allow access to the system account, and the system account should have full control.