5.9 Domain Name Service
Guidelines for interpretation and administration of domain name security are provided in the USG Domain Name System (DNS) Security Standard.
5.9.1 USG Domain Name System (DNS) Security Standard
The purpose of this standard is to provide guidance in implementing Domain Name System (DNS) security on the DNS server(s).
If DNS data is compromised, attackers can gain information about the network that can be used to compromise other services. For example, attackers can harm the organization in the following ways (not an exhaustive list):
- By using zone transfer, attackers can retrieve a list of all the hosts and their IP addresses in your network;
- By using denial-of-service attacks, attackers can prevent e-mail from being delivered to and from your network, and they can prevent your Web server from being visible; or,
- If attackers can change your zone data, they can set up fake Web servers, or cause email to be redirected to their servers.
This standard covers USG internal DNS system(s), and USG external DNS system(s).
220.127.116.11 Domain Name Server (DNS) System Security Policy
DNS Internal Security Standard
- Every USG institution, the USO, and the GPLS must have at a minimum one (1) internal DNS system.
- DNS systems must be physically secured.
- Internal hosts must resolve to an internal DNS server.
- All servers and networked equipment must must have a reserved IP address. These reserved IP addresses must be assigned in DNS.
- Endpoints must be listed on DNS automatically by directory services.
- All internal applications must refer to the DNS server; it must not refer to an IP address.
- DNS server must be located on LAN segment that is different than the users.
- Internal DNS must not access the Internet directly.
- Query on Internet domain must be forwarded to an external DNS.
- Internal DNS may not be accessed from an external DNS or the Internet.
DNS External Security Standard
- External DNS must be located on a demilitarized zone (DMZ).
- External DNS must be protected with firewall equipment or IPS by allowing DNS port PCP 53 and UDP 53 only.
- External DNS must not contain an internal host.
- External DNS only contains host record that can be accessed by the Internet, such as a web server, Internet application, mail server, etc.
- External DNS must be able to access the Internet to do query domain and synchronization.
18.104.22.168 Terms and Definitions
- Domain – most often used to refer to a domain zone, it is also used to describe a zone or a domain name.
- DNS – the domain name system, better known as DNS, represents a powerful Internet technology for converting domain names to their corresponding IP addresses.
- DNS Spoofing – the basic purpose of spoofing is to confuse a DNS server into giving out bad information. The way it works is that an attacker sends a recursive query to the victim’s server, using the victim’s server to resolve the query. The answer to the query is in a zone the attacker controls. The answer given by the attacker’s name server includes an authoritative record for a domain name controlled by a third party. That authoritative record is FALSE. The victim’s server caches the bogus record. Once spoofed, the victim’s resolver will continue to use the false record it has in its cache, potentially misdirecting email, or any other Internet service. This is a potential major security leak for credit card information, trade secrets, and other highly sensitive information.
- Note: Most modern servers will not cache a fake record because it does not fall in the same parent zone as the record that was requested.
- RFC 4033, DNS Security Introduction and Requirements.
- Split DNS – Internal hosts are directed to an internal domain name server for name resolution, while external hosts are directed to an external domain name server for name resolution.