Guidelines for interpretation and administration of domain name security are provided in the USG Domain Name System (DNS) Security Standard.
5.13.1 USG Domain Name System (DNS) Security Standard
The purpose of this standard is to provide guidance in implementing Domain Name System (DNS) security on the DNS server(s).
If DNS data is compromised, attackers can gain information about the network that can be used to compromise other services. For example, attackers can harm the organization in the following ways (not an exhaustive list):
- By using zone transfer, attackers can retrieve a list of all the hosts and their IP addresses in your network;
- By using denial-of-service attacks, attackers can prevent e-mail from being delivered to and from your network, and they can prevent your Web server from being visible; or,
- If attackers can change your zone data, they can set up fake Web servers, or cause email to be redirected to their servers.
This standard covers USG internal DNS system(s), and USG external DNS system(s).
220.127.116.11 Domain Name Server (DNS) System Security Policy
DNS Internal Security Standard
- Every USG institution, the USO, the GPLS, and the Georgia Archives must have at a minimum one (1) internal DNS system.
- DNS systems must be physically secured.
- Internal hosts must resolve to an internal DNS server.
- All servers and network equipment must have a reserved IP address. These reserved IP addresses must be assigned in DNS.
- All internal applications should refer to the DNS server; it should not refer to an IP address.
- DNS server must be located on a LAN segment that is different than the users’.
- Internal DNS must not access the Internet directly.
- Internet or external queries on the domain must be forwarded to an external DNS.
DNS External Security Standard
- External DNS must be located in a demilitarized zone (DMZ) or similar architecture.
- External DNS must be protected with firewall equipment or IPS.
- DNS administration must follow best practices.
18.104.22.168 Domain Name Service (DNS) Guidelines