If you use BIND, you can disable recursion
by adding the following to the options
section in named.conf:
Options {
recursion no;
};
Note that with BIND, you can use an allowrecursion
ACL to permit recursion only from trusted IP addresses. Although this might be
the only possible solution in some configurations,
the best protection is to prevent all
recursion on public DNS servers.
Limit Zone Transfers
A surprisingly common DNS server mistake
is allowing all hosts to perform zone transfers
and allowing all records for a zone to
be returned. Zone transfers let DNS servers
share information, but you should be careful
to limit which hosts can request them. If you
don’t normally allow servers to update each other, you can completely disable
zone transfers.
To limit zone transfers with
Microsoft DNS, open the DNS
Management Console, rightclick
the domain you want
to configure, click Properties,
then access the Zone Transfers
tab. If you want to enable zone
transfers, be sure to allow only
servers listed on the Name
Servers tab or use specific IP
addresses. Never allow zone
transfers to all servers.
With BIND, you control
this setting in named.conf.
You can make the setting
in either the global options
section or individual zone
sections. Keep in mind that
settings in a zone section
override that zone’s global
options, so the best way to
manage zone transfers is to
prevent them globally, then
configure individual zones to
allow zone-transfer requests
only from certain IP addresses.
To do so, add to named.conf
as follows:
Options {
recursion no;
fetch-glue no;
allow-transfer { none; };
};
zone "example.com" in{
...
allow-transfer
( 192.168.0.15; );
};
Reduce Exposure
To prevent abuse, it’s important to limit all
network services to specific ports and IP
addresses. You should always use a packet
filter, such as a firewall or router, to limit
access to your DNS servers, and you should
configure limitations on the servers themselves.
To configure Microsoft DNS to listen
only on specific IP addresses, you can open
the DNS Management Console, right-click
the computer name, select Properties, and
select the Interfaces tab. You can then enter
specific IP addresses you want to listen on, as Figure 2 shows.
With BIND, you can set the listening IP
address as a global option or a zone option
in named.conf as follows:
Options {
recursion no;
fetch-glue no;
allow-transfer { none; };
listen-on {192.168.0.8; };
};
With Microsoft DNS, it’s possible to manage
a remote DNS server using the remote
procedure call (RPC) protocol. If you don’t
use this feature, you should disable RPC to
reduce your attack surface. To do so, you
must edit the server’s registry. Using Regedit,
locate HKEY_LOCAL_MACHINE\SYSTEM CurrentControlSet\Services\DNS\Parameters,
and create a DWORD value named
RpcProtocol. Set this value to 0, and restart
the DNS server for the setting to take effect.
You Can Do More
At this point, your DNS server won’t allow
recursive DNS requests from others, won’t
attempt to answer queries outside its zones,
will permit zone transfers only to trusted
hosts, and will listen only on the IP addresses
you specified. If it contains only public DNS
records, the server is now secure enough to be
a public DNS advertiser. With prudent firewall
configuration, careful patch management,
and other security best practices in place, you
can be confident that your DNS server isn’t a
threat to your network or others.
However, you can do more. Using IPsec
between trusted hosts and implementing
the DNS Security Extensions (DNSSEC)
and Transaction Signature extensions can
further increase the integrity and confidentiality
of your DNS traffic. Careful server
hardening will prevent other types of attacks
on your DNS server. Finally, a good networkmonitoring
system can warn you of impending
attacks.