11.7. DNS Security

11.7. DNS Security

Glancing at the DNS mission, it may seem that it cannot be compromised by hackers. This is a misperception. There have been cases of DNS servers being taken out of commission. This made it impossible to use symbolic host names , and network programs could no longer function. Users are not used to using IP addresses, so DNS becoming unavailable is a kiss of death for their Internet activities.

Other than putting DNS servers out of order, hackers can extract too much information about the network structure. To prevent this, it is desirable to use two DNS servers as follows :

  • One DNS server is publicly available and contains only the mapping information necessary for remote users to work with shared resources.

  • Another DNS server is available only to local network users and contains all mapping information the users require for their work.

The firewall on the local DNS server can be configured to recognize local traffic only and ignore access attempts from the Internet. This will make it problematic for hackers not only to obtain information from the DNS database but also to disrupt the operation of this server. In this way, when the firewall is functional, all local users will be protected against disruptions in DNS operations.

You could install a secondary server for each primary server. This will distribute each workload between two servers, reduce the response time, and enhance the system's robustness. Moreover, if one of the servers fails, the other will pick up its workload and keep the DNS service operational.

Pairing up servers allows productivity and security to be enhanced. Linux-based DNS servers are undemanding to the hardware. I have four Red Hat-based DNS servers running in text mode on 400-MHz to 700-MHz Pentium machines. These used to be office computers, but when their capabilities became insufficient to handle office tasks , I turned them into DNS servers. These machines are, and will be for the next several years , more than enough for this task. In this way, old computers can be given a second life, and quite a long one. The important thing is that this solution saves the company money.

But, in addition to offering the described advantages, doubling DNS servers can be dangerous. Hackers can use the host utility to obtain the contents of the main server's database in the same way the secondary servers do this to update their databases.

The following is an example of how this can be done:

 host -1 server.com nsl.server.com 

This will produce all database records about the server.com server. To prevent this, the addresses of the secondary servers have to be explicitly specified in the named.conf file. This is done by adding the following entry to its options {...} section:

 allow-transfer {192.168.1.1;} 

This can also be done in the descriptions of the individual zones, but it is preferable to do this once in the global options. If you do not employ a secondary DNS server, prohibit data from being transferred to the secondary zone by adding the following entry:

 allow-transfer {none;} 

DNS servers can be subjected to DDoS attacks. The most notorious DDoS attack on Internet DNS servers was carried out in November 2002. Several root servers were attacked simultaneously . If only one server had been employed to provide DNS services, the Internet would have become inaccessible shortly after the attack started. This did not happen for the following reasons:

  • Server redundancy, which makes duplicates of the DNS information available

  • Caching servers

  • Proxy servers, which also cache DNS records

Other aspects of securing a DNS server are identical to securing any other service and the operating system. As already mentioned, the most secure server is one that performs a narrowly-specified task. There are fewer open ports and fewer running services on such servers, which makes them more difficult to compromise. The only problem with this approach is that numerous servers make the process of updating the operating system more complex. Linux has its fair share of bugs that have to be fixed, and when updates are made available, all servers, including DNS servers, have to be updated.



Hacker Linux Uncovered
Hacker Linux Uncovered
ISBN: 1931769508
EAN: 2147483647
Year: 2004
Pages: 141

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net