DNS: Desire Network Safety?

Experts recommend these steps to protect DNS.

A little discipline can solve domain name system (DNS) woes. The only requirement is name servers that allow proper configuration. Experts suggest:

Limit recursion. Name servers do need to offer recursion to name resolvers that are actually on your network, but there is no reason to make recursion available to any entity on the Web. Any server for internal name resolution should remain within the firewall.

Play zone defense. Allow zone transfers only to authorized secondary name servers. If the network doesn't recognize who wants information, it shouldn't give anything away.

Monitor DNS. Regularly monitor name servers for unusual spikes in traffic and in the amount of data either coming in or going out.

Use your firewalls and routers. Look for incoming traffic on port 53. If there are DNS responses headed for a network host that isn't running a name server, something is wrong and you can filter the traffic to head off the attack.

Update your name server software. Without the right versions and patches, the software is even more susceptible to attack or manipulation.

Reexamine your load balancing. Some companies use a DNS-based approach to load balancing. Experts say that's relying on a weak link.

Work with your ISP. If you use hosted DNS, negotiate with your ISP to put upstream filtering into place.

Keep DNS by itself. Don't run DNS on a server that also runs other network services, like a Web or mail server. A successful exploit on the other service could leave DNS vulnerable.

Copyright © 2007 IDG Communications, Inc.

Microsoft's very bad year for security: A timeline