As you put DNS to work in your organization, pay close attention to security. Put your nameserver behind a firewall and harden the server operating system, and make sure that it’s subjected to vulnerability scanning at least every 30 days. Keep your software, typically Active Directory and/or BIND, patched and up to date. Let only a small number of highly trusted administrators have access to your external authoritative nameservers, and ensure that there is a revision-control system in place that produces an audit trail. Finally, remember that a mis-typed delegation in your domain registration can make your domain disappear for a minimum of three days.
Test, test, test. DNS helps keep your internal networks secure by hiding hosts and topology from the outside world. Be vigilant about making sure that you don’t inadvertently make internal addresses visible to the outside world. Make sure that you have backups of your DNS server so that if you have a catastrophic failure, an administrator makes a blunder, or if your security is compromised, you can get back online quickly. There are standards in place for a higher-security DNS, with cryptographic zone and record signing for authentication (see www.dnssec.net/rfc). These enhancements are not in common use yet because the computational requirements of the cryptography make them impractical. There may be progress on the horizon, however, as the federal government has mandated the use of DNSSEC for the .gov TLD by January 2009.
Leave a Reply
You must be logged in to post a comment.