Proper DNS deployment one key to DNS security

Two basic tenants of information technology (IT) network security practices entail partitioning DNS server deployments and corresponding functions based on trust zones and in employing a multi-layered defense in depth style approach. I’ll use the term “trust sectors” instead of “trust zones” given the ambiguity of the word “zone” in a DNS context. Establishing an effective defense is critical as is preparation, monitoring, event detection to rapidly identify attacks in progress and enact recovery plans to perform mitigation actions to minimize or nullify their impacts. Event post-mortems are also critical to feeding back to the security plan to apply lessons learned to improve detection and recovery times.

Generally, DNS deployment designs should account for high availability, performance, scalability, human intervention and of course, security. Using a trust sector approach to DNS server deployment allows you to segment namespace and resolution responsibility which provides a solid foundation for achieving these objectives. Keep in mind that there is no “one size fits all” cookie cutter deployment architecture. However, by defining role-based server configurations as trust sectors, you can select which are applicable based on your environment’s scale and policies.

Based on the flow of DNS queries, I recommend defining the following four trust sectors based on query source and the context of the query.

  1. Recursive trust sector - this sector comprises internal (within the organization) queriers (stub resolvers) querying recursive servers out through a demilitarized zone (DMZ) to the Internet. This trust sector enables internal clients to access external/Internet websites and by necessity requires access to and from the Internet with associated security controls.
  2. Internal trust sector - internal stub resolvers desiring to access intranet sites make use of the internal trust sector. This sector comprises stub resolvers querying recursive servers which forward to internal authoritative DNS servers. As internal and presumably more sensitive destinations are published through these internal authoritative servers, security measures are required to control access to such information which could provide attackers a set of potential targets.
  3. External trust sector - this sector comprises your external or Internet-facing DNS infrastructure, whether in-house, outsourced or both. These servers publish Internet reachable destinations such as web and email servers. Query access is generally open to all, but important steps are required to disable recursion, mitigate reflector attacks, and prevent breaching your internal DNS or network in general.
  4. Extranet trust sector - for partners or suppliers, some organizations publish server information to support access to information such as inventories or pricing. Controls are required to constrain access only to said partners and to prevent infiltration into the internal network. 

I invite you to check out my DNS trust sector video for more information and details about configuring DNS servers and affiliated network elements to achieve a DNS security zones deployment in your network.

Comments

Popular posts from this blog

Handy AAAA filter in BIND 9.8

Inglorious DDI

BIND 9.8.0 Adds DNS64 Support - Part 2 - How is it configured?