Seven major problems with DNS server security deployment

DNS (Domain Name System) is a long-established method. It can assign a domain name to a computer with an IP address, so that the computer has a character name. For example, a computer with an IP address of 207.46.193.254 is a Microsoft server www. .microsoft.com. The DNS is well designed and works great for most of the time. However, there are always some unsatisfactory situations, it will strike, and the administrators have a headache. So how do you find the clues to its fault? What are the unsatisfactory places in your DNS system?

Is there any regularity that can be followed? The answer is yes, we are here to give the seven major sins of the DNS server for your reference:

1. Use the old version of BIND.

Bind is an open source DNS server software and is the most widely used DNS server software in the world. Almost the old versions of BIND have serious, well-known vulnerabilities. Attackers can exploit these vulnerabilities to hack our DNS domain name servers and use them to compromise the hosts that run them. Therefore, be sure to use the latest BIND and patch it in time.

2. Place all important domain name servers on the same subnet.

In this case, a device failure, such as a switch or router, or a network connection failure can make users on the Internet unable to access your website or send you an email.

3. Allow recursion of unauthorized queriers.

If this is the case:

(recursion yes no; [yes]allow-recursion { address_match_list }; [all hosts]

is not safe Here, the recursion option specifies whether the name is used instead of the client to query other domain name servers. Usually the domain name server is not set to close recursion. At least we should allow recursion for its own client, but the external query prohibits recursion, because if it can be arbitrary A client processing recursive queries will expose the domain name server to Cache poisoning and denial of service attacks.

4. Allow unlicensed secondary domain name servers to perform zone transfers.

Zone Transfer refers to the process of copying a zone database file between multiple DNS servers. If a zone transfer service is provided for any querier, the domain name server will be exposed to the attacker, causing the server to crash.

5. No DNS forwarders are used.

DNS forwarders are servers that perform DNS queries on behalf of other DNS services. Many domain name server software, including micro DNS Servers and some older BIND domain name servers do not adequately protect themselves against cache poisoning. Other DNS server software also has vulnerabilities that can be exploited by malicious responders. However, many administrators allow these domain name servers. Directly query other domain name servers on the Internet and do not use forwarders at all.

6. Incorrectly set the Start of Authority (SOA) value.

The beginning of the SOA tag area data, Define the parameters that affect the entire zone. Many administrators set the value of the zone too low, which will cause the system to break when the refresh query or zone transfer fails. Since the RFC redefines the SOA, there are still some people. The reverse caching TTL is reset, which in turn results in a value that is too high. ---http://www.bianceng.cn

7. Authorization and mismatched NS records in the zone data

There are some administrators who have added or deleted the primary name server, but forgot to change the delegation authorization data (the so-called delegation data) of the region. This will extend the analytic domain. Time, and will reduce the flexibility.

Of course, these are just some of the general administrator may have committed errors, but it can serve as a basic reference you configure DNS servers.