securing DNS

seuss_ssues

I was reviewing some info on sec+ and ran across a question about securing DNS servers.

The question was something to the degree of what is the best method to secure DNS servers?

and i was torn between 2 of the answers

One was to the effect of only allowing encrypted zone transfers with secondary dns servers.

And the other

Turning off all services besides DNS on the DNS server.


Questions like this that have 2 correct answers make the test difficult. I understand the "Choose the BEST" but i second guess myself with this type of question.

I know that with all servers its best to disable all unused services. But then when i see this question i automatically assume that the machine has already had this done to it and look for the answer that actually has something to do with securing DNS.

Well any input from any of you cissp or sec+ people would be nice.

Webmaster

The best answer would depend a lot on the exact wording of the question. As you mentioned, with all servers it's best to disable all unused services, that's not DNS server specific. So from that point of view I'd go for the other answer. However, the other answer mentions "encrypted zone transfers". Of course encrypting any data transfer is good from a security perspective, but without the proper authentication it means nothing. I.o.w. if the other answer would have said somthing like "don't allow unauthorized zone transfers", I'd go for that one.

What study material are you using? Any sec+ book or docs about securing DNS will (should) mention this.

dissolved

encrypting dns is the answer they're looking for

Real world DNS servers aren't necessarily secured this way. Rather, recursion is disabled, services are disabled, zone transfers are defined by IP etc

stakhous

I'm not sure what the right answer it. But who encrypts Zone transfers?! You shouldn't need to do this because the server should only be set up to allow zone transfers inbetween the specific ip of the caching server, and thats it. All other zone transfer attempts will fail. Sure encryption fixes everything, but not logical in this situation.

I would have to say I would choose disable all services. Also by viewing a zone transfer, it doesn't really put the server at risk any more than it does the rest of the network.

I hate Security+ questions!


Cheers

keatron

Encrypting zone transfers really wouldn't secure the server, it would aid in securing the domain or zone, but not the server. Encrypting zone transfers would usually mean implmenting IPSec or something else along these lines. So if you implemented IPSec secure server, the only way any other machine (whether requesting zone transfers or any other type of communication) can communicate with that server is if it has IPSec enabled also. So if encryption is performed per IPSec, then it is logical, however, knowing CompTIA, they are looking for the disabling all services except DNS. But in reality, try disabling everything except the DNS service and see what functionality you get from that server.