Best answer I could give for this DNS Security question
Pash
Member Posts: 1,600 ■■■■■□□□□□
Potential Security Issue:-
DNS Server Allows Recursive Queries
My recommendation:-
After investigation there are no issues with removing root hints and only allowing forwarding to xxinsertcompanynamexx DNS servers. Of course this would still mean recursive queries occur because forwarders cannot be listed if recursion is disabled. DNS will check forwarders first but then have no hints to use for iterative queries on the public network.
Recommend no change.
This server is only used for lookup for one paticular company as part of required services. It was recommended by my manager to remove root hints, but in effect this wouldnt make any difference because the server would still make recursive queries to the listed forwarders on the DNS server. I hope I have explained this well enough.
I have checked Microsofts DNS hardening papers and see no security issues with current implementation. Can't do much more than that.
Anyone else have to look at issues like this, btw did I mention i hate penetration tests and I hate companies whos names begin with I and end with M (there is a B inbetween).
Cheers,
DNS Server Allows Recursive Queries
My recommendation:-
After investigation there are no issues with removing root hints and only allowing forwarding to xxinsertcompanynamexx DNS servers. Of course this would still mean recursive queries occur because forwarders cannot be listed if recursion is disabled. DNS will check forwarders first but then have no hints to use for iterative queries on the public network.
Recommend no change.
This server is only used for lookup for one paticular company as part of required services. It was recommended by my manager to remove root hints, but in effect this wouldnt make any difference because the server would still make recursive queries to the listed forwarders on the DNS server. I hope I have explained this well enough.
I have checked Microsofts DNS hardening papers and see no security issues with current implementation. Can't do much more than that.
Anyone else have to look at issues like this, btw did I mention i hate penetration tests and I hate companies whos names begin with I and end with M (there is a B inbetween).
Cheers,
DevOps Engineer and Security Champion. https://blog.pash.by - I am trying to find my writing style, so please bear with me.
Comments
-
royal Member Posts: 3,352 ■■■■□□□□□□Man... There was an article a long time ago that I read that was EXCELLENT. It talked about having 3 different scopes of DNS servers and commands to run on each to secure them and which ones should provide recursion and which ones forward. I can't seem to find it for the life of me. When I finish working, I'll spend some time searching for it.
But in short, you'd have dedicated DNS servers to provide recursion and you'd have your AD servers forward to these DNS servers that provide the recursion. There are some commands to lock down AD to ensure it doesn't do any recursive queries besides the typical remove root hints. There were some other securing commands for DNS, but don't remember them.
Found it!
http://windowsitpro.com/article/articleid/92660/segregate-your-dns-servers.html
You need to register though for an online subscription. I'd recommend subscribing to the magazine though which comes with online subscription. It's excellent.“For success, attitude is equally as important as ability.” - Harry F. Banks -
Pash Member Posts: 1,600 ■■■■■□□□□□Thanks royal, top answer as always.DevOps Engineer and Security Champion. https://blog.pash.by - I am trying to find my writing style, so please bear with me.