Configuring and Securing a DNS Service

Configuring DNS Zones

As a rule of thumb: EVERY DNS zone should at least have an SOA and an NS record. Most likely the forward DNS zones will also have A (hosts), CNAME (alias) and MX (mail exchanger) records. Reverse DNS zones will also contain PTR (pointer) records.

Configuring a new (forward) zone

Add a new DNS (sub)domain as master/primary (slave/secondary is a redundant copy of an existing domain). If this is your Internet DNS service, use your Internet domain name. If it is an internal domain use your own defined (sub)domain as the name for the DNS zone.

When you add a new domain, an SOA record should be made automatically, if not create it. Configure the SOA (default settings should be ok). Then add (a) name server(s) to your zone, this should be a FQDN or a name relative to the DNS zone like ns.yourdomain.com. That name should point to an IP address, so next add an A record in your DNS zone pointing ns to the IP address of the DNS server. This is the most basic configuration of a DNS zone. Now add other A/CNAME records as needed.

Common DNS entries

• ns for name servers
• gateway/router for an internet gateway
• www for HTTP servers
• smtp/out/relay for outgoing mail
• mail/in/pop for incoming mail
• webmail for incoming mail using an HTTP frontend
• proxy for HTTP/FTP/SOCKS proxy servers
• pac for Proxy Auto Configuration (an HTTP server that servers the pac file)
• wpad for Web Proxy Auto Discovery

Configuring a reverse zone

A reverse zone is highly recommended for performance reasons. Many applications, including the badly written nslookup uses reverse DNS lookup. If you don't have a reverse DNS, lookups might take a while and you'll probably experience some delay or timeouts.

To add a new reverse zone type your netwerk id in reverse as the zone name ending with .in-addr.arpa (for example, zone name 0.168.192.in-addr.arpa for network 192.168.0.0/24). Now again (if not already created) add an SOA record and at least one NS record using the FQDN like ns.yourdomain.com. Last step is to add the PTR records. These are the records pointing the single ip addresses of your subnet to your FQDN. (for example, if you want to point 192.168.0.1 to www.yourdomain.com, add a PTR record of value 1 to www.yourdomain.com). If you have subzones (multiple subnets) in your reverse zone, add NS records pointing to dns servers of the appropriate subnet.

DNS Forwarding/recursion

If your DNS server is used internally, it will probably also be used for DNS lookups of Internet hosts (=DNS cache). To do so, you have to configure the DNS service as a forwarder simply by adding forwarders or supplying DNS root hints. For performance reasons, choose forwarders the closest to you like the ones of your Internet provider or your Internet router/gateway if it is running a DNS forwarding service. By forwarding, requests not resolved using the local DNS zones will be forwarded and resolved using the DNS servers of your Internet provider or router.

If you don't add forwarders, but the DNS service is configured with root hints it will use recursion to resolve the request. Recursion is the process of finding the DNS servers responsible for a subdomain by first contacting the domain. For example: to lookup www.yourdomain.com it will contact the root hints to find the DNS servers responsible for the com toplevel, it will then contact the DNS server responsible for yourdomain.com and it will then request a lookup for www.yourdomain.com.

Warning: On your publicly available DNS service, you should NEVER enable forwarding or recursion. As this can be used for cache poisoning or DoS attack on your domain.

Securing the DNS Service

• Disable Round Robin

Round robin rotates the IP addresses of A-records, this is used for load balancing.

• Separating DNS service from DNS caching

If your DNS cache, which is also running your DNS Service, is compromised or is DoS'd your domain can be redirected or taken offline, so do not run a DNS Cache (also called forwarder/non-authorative DNS service/recursive name service) together with your Authorative DNS service. By separating DNS caches from DNS servers, you protect your DNS servers from DNS cache problems, and vice versa.

• Limit or block zone transfers

Zone transfers from unauthorized hosts are probably some sort of attack (preparing for DoS) or probing your internal network. You should block these arbitrary zone transfers by allowing only certain hosts (like secondary DNS servers) or blocking them alltogether. You can additionally block TCP port 53 (this will also block zone transfers). Normal lookups use UDP port 53.

• Disable recursion on authorative name servers

You don't need recursion on your public authorative name servers.

• Secure cache against pollution

If you run a DNS cache, secure it against pollution. Pollution or poisoning a cache is done by certain requests/responses in which the DNS service thinks it has the correct IP address of certains domains, while in fact they are hostile sites.

• Limit DNS cache exposure

Only allow connections from your internal address space to your DNS cache.

• Enable logging

Configure logging so that you can monitor the usage of your DNS service. Logging will probably include zone transfers, zone updates and optionally all dns queries. Depending on the amount of certain traffic, choose the appropriate logging level.

Links

• BIND

Troubleshooting DNS

• Making a Win2k DNS root server into a non-root server (forwarder)

[top]