You cannot imagine the internet without DNS. There is almost no service that doesn’t depend on DNS technology. E-mails, VoIP, web services, all kind of CRM and ERP systems and much more. DNS is so important that we must take care of our network and make it as secure as possible.
Here we will show you some good practices to manage your DNS. Prevention is the best defense. Pay attention to these pieces of advice and take action.
Hide the master DNS
Configure the master DNS as a hidden. Like this, it will not be shown in the records of the name server. It will not appear, and it will not respond to any queries. Its purpose will be to give zone transfers to secondary name servers which will be public but doing it safely and hidden.
Make the connection between the master DNS and the secondary name servers secured. Use ACLs (access control lists) and TSIGs (Transaction signatures). Like this, your secondary servers won’t be fooled, and your network won’t get corrupted.
Do this on the external servers and reduce the risk for your authoritative servers to be part of DNS attacks like DNS Amplification.
Add rate limits
Even if you disabled the recursion on your authoritative DNS servers, they still could be used in DNS Amplification attacks with your domain names. To mitigate the options of the DNS attackers, you can add rate limits. If you are using bind software, here is an example configuration you can add to the options clause to set rate limit from 2 queries per second on average for each IPv4 class C (/24) network:
Don’t show all information
The information about the version of your DNS software is for you. Don’t make it public. If hackers know it, they can use it against you by exploiting the particular vulnerabilities that the software might have. For example, if you are using bind software you can add a version in the options clause like this:
Place content (web) servers where your customers are
Be smart and think about your users. Place name servers where your clients need them the most. It will reduce the latency and improve the experience for your users. It will also minimize the load on your other servers, give you extra protection, and it will reduce the chance of failure. If you have multiple target markets in different locations (for example EU and the US), you can use GeoDNS service to direct the customers to the right servers which are closer to them.
Use Anycast DNS for your business. This will make the experience for your users, faster and better. It will dramatically reduce the time to load the first page of your website, which helps your SEO significantly. It makes it more resilient, making it harder to experience a down time and more protected from DDoS attacks because of the different points of presence.
Domain Name System Security Extensions (DNSSEC) provide an additional layer of security on top of your DNS. This DNS best practice prevents a certain kind of attack where the attacker intercepts and potentially alters the DNS queries and responses. DNSSEC ensures that the users are communicating with the intended website or service, and not a malicious version of it. However, it’s important to note that DNSSEC can be complex to implement and manage and should be thoroughly tested before deployment.
Monitor DNS traffic
Keep an eye on your DNS traffic. Unusual patterns or a sudden increase in DNS queries could signal a security breach or a DDoS attack. By leveraging monitoring services and implementing alert systems, organizations can quickly identify and mitigate any unusual DNS activity, minimizing the impact of potential threats.
Control the traffic with DNS filtering
An excellent defence against viruses, spyware, and other malicious traffic is to block it before it can infiltrate your network. That’s where DNS filtering comes in. This technique control and restrict access to specific websites or content based on DNS queries. By implementing it, organizations can proactively prevent access to malicious or inappropriate websites, reducing the risk of malware infections, data breaches, and other cyber threats.
Keep log files
Maintaining logs of DNS server activity is another crucial DNS practices for security incident response and forensic analysis. These logs provide valuable information about DNS queries and responses, allowing organizations to identify and investigate security incidents. By analyzing the logs, organizations can understand the nature of the incident, track the source of the attack, and take appropriate measures to mitigate the impact. Additionally, DNS logs help meet compliance requirements, facilitate audits, and optimize network performance.
Regularly audit your DNS configuration
Regularly reviewing and auditing your DNS configuration can help you identify and fix any misconfigurations or security vulnerabilities. The audit should cover all aspects of the DNS setup, including checking for unnecessary open zones, ensuring correct IP address mapping, and validating DNS record settings.
These are some of the most recommended DNS practices. While there will be new threats, many of the DNS attacks happening these days can be evaded. No matter if your network is small or large, try to keep it safe and protected, by following our recommendations. Restrict access to some parts of the network, and remember that well-designed infrastructure is vital to your digital presence.
Hi, I’m Martin Pramatarov. I have two degrees, a Technician of Computer Networks and an MBA (Master of Business Administration). My passion is storytelling, but I can’t hide my nerdish side too. I never forgot my interest in the Hi-tech world. I have 10 years and thousands of articles written about DNS, cloud services, hosting, domain names, cryptocurrencies, hardware, software, AI, and everything in between. I have seen the Digital revolution, the Big migration to the cloud, and I am eager to write about all the exciting new tech trends in the following years. AI and Big Data are here already, and they will completely change the world!
I hope you enjoy my articles and the excellent services of ClouDNS!