Michael Hyatt, president, CEO and co-founder, BlueCat Networks, Inc., offers the following tips for minimizing DNS cache poisoning:
1. Run latest version of DNS
Ensure your DNS servers are running the latest version of DNS software: BIND 9.2.x or MS Windows 2003
2. Limit recursion to internal DNS servers
Make sure your DNS servers are not fully open to recursive queries (especially your externally facing name servers). If using recursion on your DNS servers, restrict allowable recursive queries to your internal address space only.
3. Use forwarders, if possible
Have your internal name servers forward all non-authoritative queries to a set of forwarders and ensure that the forwarders are upgraded (latest version of DNS software) and locked down (only allow recursive queries from internal addresses). This allows you to limit which DNS servers actually have contact with the Internet.
4. Split your external authoritative name servers and forwarders, if possible
External authoritative name servers need to accept queries from almost any address, but forwarders don't (they should be configured to accept queries from internal addresses only). Additionally, external authoritative name servers should have recursion disabled entirely.
5. Make use of firewall services
Use firewall services at both the network perimeter and on the DNS servers themselves. Limit access to only those ports/services that are required for DNS functionality.
Here are some best practices to minimize cache poisoning risk (there may be some overlap with the above):
- Separate external and internal name servers (physically separate machines or run BIND views)
- Restrict zone transfers to authorized devices (secondary servers) only
- Make use of TSIG (transaction signatures) to digitally sign zone transfers and zone updates
- Restrict dynamic DNS updates when possible (mainly for internal DNS)
- Hide the version of BIND being run on the servers (don't advertise too much information)
- Run separate nameservers (for redundancy) on different networks (best if different physical locations are possible)
- Ensure DNS software is up to date and patched as required
- Remove any unnecessary services running on the DNS servers (FTP, telnet, HTTP, etc.). These are not required on a DNS server
- Make use of firewalling services (perimeter firewalls and local firewalls running on the DNS servers themselves). Ensure that only the required TCP and UDP ports are visible (53 for DNS)
- If possible, use dedicated appliances in place of multi-purpose servers
About the author: Michael Hyatt is president, CEO and co-founder of BlueCat Networks, Inc., which designs and produces network appliances.