Every online interaction starts with a DNS query, and the availability and integrity of your services depend on the security of your recursive DNS. An attack on your recursive DNS can disrupt traffic flow for your internal users, impacting their ability to get their job done.
In this blog post, we will discuss best practices to secure your recursive DNS servers and ensure smooth traffic flow to the right destination.
How to secure your recursive DNS
Use multiple redundant and diversified servers
To reduce the impact of an outage, it’s beneficial to use multiple recursive DNS servers, preferably in separate and physical locations. This way, if any one of these components is impacted in an outage, your domain service remains available.
Do capacity planning and manage utilization
For large recursive DNS deployments with many queries, managing capacity against current and future query loads helps you to avoid cascade failure from a localized outage or maintenance period.
Separate your recursive/resolver DNS servers from authoritative servers
If you host your own DNS servers, it’s very tempting to use the same set for both. However, doing so means that attacks on your public servers could affect your internal resources and your ability to restore service.
Build a secure active directory
A high percentage of recursive DNS services are integrated with Microsoft Active Directory. Active Directory acts as a local authoritative DNS server that dynamically adds entries when computers are added to and removed from the domain or when services such as email are provisioned.
Filter internal domains to avoid leakage
Some enterprises use a private domain (.local, .lan, etc) or a subdomain of their public-facing domain (corp.mydomain.com) with an internal authoritative DNS server. These internal domains should be filtered so that they are not queried for across the Internet during recursion.
Verify answers with DNSSEC
Use cryptography to verify that the response originated from the correct authoritative server. This helps prevent various attacks like cache poisoning and aids in detecting other attacks such as network hijacking.
Use IP access control lists for internet-hosted recursive servers
Where you host a recursive DNS service on the Internet, like an ISP uses for their broadband subscribers, use IP ACLs to ensure that only your users can use it for recursion.
Isolate recursive DNS servers inside a DMZ network
Isolate your recursive DNS servers and your management traffic to them from the enterprise network using a demilitarized zone (DMZ) and a restrictive set of firewall rules.
Harden your DNS servers.
Protect your DNS servers by disabling unnecessary services, applying patches, and regularly scanning for vulnerabilities. This helps ensure that your servers’ operating systems and application software are resilient against potential attacks.
Update your DNS software
Keep your DNS software up-to-date to protect against vulnerabilities. By regularly applying security patches and bug fixes, you can mitigate the risk of them being exploited.
Employ caching forwarders for remote sites
Caching forwarders receive local DNS queries, forward them to a recursive DNS server, and cache the answer that is returned. This provides offload for the recursive server so that their is less volume of queries to your recursive and iterative queries can get answered more quickly.
Log and monitor your recursive DNS servers
Monitor your recursive DNS servers with a Host Intrusion Detection System (HIDS) and a log management system. Analyze logs to detect and respond to any malicious activity or security breaches promptly.
Filter recursive queries
Filter DNS queries on your recursive servers by using threat intelligence feeds or a protective DNS service. This blocks known and suspected bad domains and FQDNs to keep your internal assets from being compromised by malware, phishing, etc.
In conclusion, hardening your recursive DNS servers and internal domains is a crucial aspect of an overall cybersecurity program and keeps your user traffic going to the correct destination. By implementing measures at the network, server, software, and zone, you can significantly reduce the risk of a successful interruption of your services.
Secure your organization’s online interactions with UltraDDR
Ensure the security and efficiency of your organization’s online interactions with Vercara’s UltraDNS Detection and Response (UltraDDR). This protective DNS service is designed to activate before threats materialize, offering a proactive defense against cyber attacks that could disrupt your internal users and impact their productivity.
Take advantage of Vercara’s Internet content filtering to enforce internet usage policies, and enjoy comprehensive protection that extends across your organization, regardless of user location. UltraDDR’s cloud-based solution helps manage expenses effectively, ensuring that your cybersecurity measures are both cost-efficient and powerful.
By choosing UltraDDR, you benefit from advanced threat blocking, integration with existing security measures, defense against zero-day threats, and customizable user-level policies.
Don’t let your organization’s DNS be a weak link. Speak with sales today.
