* Use the latest DNS software and ensure patches are applied. The Internet Systems Consortium (ISC) also regularly issues updates and patches for Berkley Internet Name Domain (BIND), the most widely used DNS server. BIND is thought to deliver an excellent balance between speed and security, ease of administration and robustness, and RFC standards integration and universal applicability. But BIND is also the most attacked DNS server, so businesses need to run the latest version to protect against security flaws.
* Segregate Authoritative and Caching/Recursive functions within the DNS server, as recommended by ICANN. Authoritative servers should only accept queries they can answer authoritatively and have recursive disabled. This helps to prevent the Recursive Name Server Reflection Attacks common in DDoS attacks.
This is particularly critical with BIND, where key authoritative and recursive functions are contained within the same code in a single DNS engine. By incorporating a second DNS engine in the same appliance with separate authoritative and recursive functions, you can significantly increase the security and reliability of critical DNS services. For instance, use an alternative DNS engine such as Unbound and NSD. Unbound is a validating, recursive and caching DNS resolver that is designed for high performance, while NSD is an authoritative-only, high-performance name server.
* Eliminate Single Points of Failure. To mitigate the effects of zero-day attacks and ensure that you won't be vulnerable to a full-on DoS attack, best practices suggest using a hybrid DNS strategy. A hybrid strategy helpsmake DNS security footprints baffling to hackers by running a different type of algorithm for each DNS engine. When a new security alert is issued, a network owner can quickly and temporarily switch to another engine. The alternative engine can remain in place while DNS programmers patch, test and validate a security upgrade for the first engine. Plus, with multiple DNS engines in place, hackers will never be sure which name server software is running--making the task of analyzing DNS network packet footprints to discover its vulnerabilities quite complex and virtually impossible.
* Architect for Redundancy and Security. As part of best practice deployment, selecting the appropriate DNS architecture for your company's environment is very important. Deployment strategies should always include high availability and built-in mechanisms for easy recovery in the event of a disaster.
* Implement a DNS Firewall. Protect against DNS-based malware by using DNS Firewalls to block workstations from reaching malicious sites. At the same time, the DNS Firewall can protect against initial infection by placing the infected user in a Walled Garden so the system administrator can be notified that a user may be infected.
* Implement a high-performing DNS to absorb DDoS attacks. During a DDoS attack, the hacker tries to kill the DNS server or corrupt the DNS Cache so some queries will not be answered. Using DNS Queries filtering to combat this isn't recommended because doing so opens security holes. Instead, make sure your DNS infrastructure has the capability to always answer all DNS queries.
Sign up for MIS Asia eNewsletters.