Minimize DNS cache poisoning in five steps

Michael Hyatt, president, CEO and co-founder, BlueCat Networks

Michael Hyatt, president, CEO and co-founder, BlueCat Networks, Inc., offers the following tips for minimizing DNS cache poisoning:

1. Run latest version of DNS
Ensure your DNS servers are running the latest version of DNS software: BIND 9.2.x or MS Windows 2003

2. Limit recursion to internal DNS servers
Make sure your DNS servers are not fully open to recursive queries (especially your externally facing name servers). If using recursion on your DNS servers, restrict allowable recursive queries to your internal address space only.

3. Use forwarders, if possible
Have your internal name servers forward all non-authoritative queries to a set of forwarders and ensure that the forwarders are upgraded (latest version of DNS software) and locked down (only allow recursive queries from internal addresses). This allows you to limit which DNS servers actually have contact with the Internet.

4. Split your external authoritative name servers and forwarders, if possible
External authoritative name servers need to accept queries from almost any address, but forwarders don't (they should be configured to accept queries from internal addresses only). Additionally, external authoritative name servers should have recursion disabled entirely.

5. Make use of firewall services
Use firewall services at both the network perimeter and on the DNS servers themselves. Limit access to only those ports/services that are required

    Requires Free Membership to View

for DNS functionality.

Here are some best practices to minimize cache poisoning risk (there may be some overlap with the above):

  • Separate external and internal name servers (physically separate machines or run BIND views)
  • Restrict zone transfers to authorized devices (secondary servers) only
  • Make use of TSIG (transaction signatures) to digitally sign zone transfers and zone updates
  • Restrict dynamic DNS updates when possible (mainly for internal DNS)
  • Hide the version of BIND being run on the servers (don't advertise too much information)
  • Run separate nameservers (for redundancy) on different networks (best if different physical locations are possible)
  • Ensure DNS software is up to date and patched as required
  • Remove any unnecessary services running on the DNS servers (FTP, telnet, HTTP, etc.). These are not required on a DNS server
  • Make use of firewalling services (perimeter firewalls and local firewalls running on the DNS servers themselves). Ensure that only the required TCP and UDP ports are visible (53 for DNS)
  • If possible, use dedicated appliances in place of multi-purpose servers

About the author: Michael Hyatt is president, CEO and co-founder of BlueCat Networks, Inc., which designs and produces network appliances.

This was first published in June 2005

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.