[dns-operations] Best Practices in DNS security

Paul Vixie paul at vix.com
Thu Mar 16 17:33:32 UTC 2006


# A few questions that will hopefully generate some discussion. 
#  
# What have you found is the most effective way to prevent recursive queries
# from foreign address space against your DNS servers?. DNS ACLs, Firewall
# ACLs or Router ACLs; have you found one of these to be more effective or
# easier to manage?

some answers based on my BIND9 experiences.

i've found that the best thing to do is an allow-query directive listing
the local address space.  firewalls can theoretically be better, but are
usually harder to reconfigure when new "inside" address space is added.

note that there is an allow-recursion ACL that doesn't do what most folks
think it does.  this ACL will prevent recursion from being done on behalf
of non-ACL-matching source addresses, but still gives access to authority
data or previously-cached recursive data.  my advice is, don't use this.

also note that if you run authority and recursion in the same server image
(answering on the same ip address), there are a few cases where the server
cannot follow the RFC's when generating answers, and is basically guessing.
my advice is, don't do this.  allocate a separate IP address for recursive
nameservice (as handed out by DHCP or listed in resolv.conf) other than the
one used for authority name service (as listed in A RR's who are named in
NS RR's.)

# Are you running firewalls in front of your DNS servers? If so are they
# effective? Are there any DNS specific problems with firewalls to be
# aware of?

we run firewalls at ISC because our environment is sysadmin-rich and we can
reconfigure the firewalls as easily as we can reconfigure our nameservers.
the thing to watch out for is that you should not send back an ICMP-Unreach
message when someone attempts to reach your nameserver from outside.  these
ICMP messages can be used as part of a reflector attack.  while we mostly
worry about amplification attacks, reflector attacks are also effective.
if you are going to send back ICMP-Unreach for udp/53 messages, please rate
limit them on a per-flow basis in order to make your site less useful for
attackers.

# Are you using Intrusion Detection Systems to detect DNS specific
# attacks? Has this been effective?  

i have a perl script that examines the firewall and nameserver logs looking
for rejected traffic.  there's quite a lot of unwanted traffic, and the only
time a flow or pattern generally emerges is due to misconfiguration rather
than malfeasance.  misconfiguration is worth learning about and fixing, but
it's not an intrusion in the normal sense of that word.

# Any other suggestions or best practices you believe the rest of the DNS
# community should be following?

every zone should have some in-ballywick nameservers (NS.NSDNAME values
which are within the zone being delegated) and some non-ballywick servers
(ideally proceeding out of completely different TLD or at least SLD.)  the
goal of this is to be able to turn off "fetch-glue" and still have all of
your delegation responses be usable without causing requestors to have to
go out and fetch anything.

otherwise, your questions have highlighted every best-practice i know of
that is non-current.  :-).



More information about the dns-operations mailing list