Minimize DNS cache poisoning in five steps

Michael Hyatt, president, CEO and co-founder, BlueCat Networks, Inc., offers the following tips for minimizing DNS cache poisoning:

1. Run latest version of DNS
Ensure your DNS servers are running the latest version of DNS software: BIND 9.2.x or MS Windows 2003

2. Limit recursion to internal DNS servers
Make sure your DNS servers are not fully open to recursive queries (especially your externally facing name servers). If using recursion on your DNS servers, restrict allowable recursive queries to your internal address space only.

3. Use forwarders, if possible
Have your internal name servers forward all non-authoritative queries to a set of forwarders and ensure that the forwarders are upgraded (latest version of DNS software) and locked down (only allow recursive queries from internal addresses). This allows you to limit which DNS servers actually have contact with the Internet.

4. Split your external authoritative name servers and forwarders, if possible
External authoritative name servers need to accept queries from almost any address, but forwarders don't (they should be configured to accept queries from internal addresses only). Additionally, external authoritative name servers should have recursion disabled entirely.

5. Make use of firewall services
Use firewall services at both the network perimeter and on the DNS servers th...

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT ISA Server and Firewalls for Microsoft Exchange Server Top 5 Exchange mobile tips of 2008 Microsoft Exchange Server security dos and don'ts Windows SBS and Exchange Server security configuration best practices Why Exchange ActiveSync fails with NAT firewalls Deploying ISA Server as a firewall for Exchange Server mobile devices Adjust your firewall to avoid Exchange 2007 Direct Push failures OWA stops working from external network connection Enhance OWA logon security using Microsoft ISA Server Firewall problems with Exchange Server 2007 email attachments How and why to disable certain ESMTP verbs Microsoft Exchange Server Mailbox Management Delivering email between Exchange server test and production domains Microsoft Outlook error message: 'Mailbox Size Limit exceeded' Restoring user accounts and mailbox links in Active Directory Problems receiving email from outside a Exchange Server 2003 domain Best practices for moving mailboxes in Exchange Server Exchange admins: Is it time to rethink your email address policy? Exchange Server 2003 collects email from only specific POP3 domains Troubleshoot 'System Attendant' error messages in OWA Relocating Outlook email messages on a hosted Exchange 2007 server Restore contacts from an Exchange public folder

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary reverse proxy server  (SearchExchange.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

emselves. Limit access to only those ports/services that are required for DNS functionality.

Here are some best practices to minimize cache poisoning risk (there may be some overlap with the above):

• Separate external and internal name servers (physically separate machines or run BIND views)
• Restrict zone transfers to authorized devices (secondary servers) only
• Make use of TSIG (transaction signatures) to digitally sign zone transfers and zone updates
• Restrict dynamic DNS updates when possible (mainly for internal DNS)
• Hide the version of BIND being run on the servers (don't advertise too much information)
• Run separate nameservers (for redundancy) on different networks (best if different physical locations are possible)
• Ensure DNS software is up to date and patched as required
• Remove any unnecessary services running on the DNS servers (FTP, telnet, HTTP, etc.). These are not required on a DNS server
• Make use of firewalling services (perimeter firewalls and local firewalls running on the DNS servers themselves). Ensure that only the required TCP and UDP ports are visible (53 for DNS)
• If possible, use dedicated appliances in place of multi-purpose servers

About the author: Michael Hyatt is president, CEO and co-founder of BlueCat Networks, Inc., which designs and produces network appliances.

Rate this Tip To rate tips, you must be a member of SearchExchange.com. Register now to start rating these tips. Log in if you are already a member. DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.