Organisations should consider the following mitigation strategies to reduce the likelihood of DNS Resolver compromises.
Apply the latest patches for DNS Resolvers
DNS Resolvers should have the latest security patches applied as this reduces the opportunities for an adversary to leverage known security vulnerabilities to exploit them.
Separate authoritative and recursive DNS Resolvers
Organisations should ensure that published authoritative DNS Resolvers, which are used by external parties to resolve www.youragency.gov.au, do not also resolve external domain names such as www.google.com. The public authoritative DNS Resolver should only resolve hosts that your organisation is responsible for and wishes to advertise.
Published organisation DNS Resolvers should not be configures to allow recursion. DNS Resolvers configured in this manner permit external entities to masquerade as your organisation when performing DNS queries – perhaps to inappropriate websites.
Limit zone transfers
Zone transfers permit all DNS information to be listed for a given domain and are a mechanism used by primary and secondary DNS Resolvers to update DNS information. The default behaviour for DNS zone transfer permits any host to request and receive a full zone transfer for a domain.
Allowing open DNS zone transfers is akin to an anonymous caller requesting and receiving your organisation’s complete telephone and address book. Information leakage form a seemingly innocent zone transfer could expose internal network topology that is useful to an adversary.
Randomise source ports and transaction Identifiers
DNS Caching Resolvers are used by internal clients to resolve external domains. They should use random source ports and random transaction IDs to reduce the likelihood of an adversary successfully guessing and faking a response designed to poison the cache of a DNS Resolver.
Avoid using routers, firewalls and other gateway devices that perform Network Address Translation (NAT), or more specifically, Port Address Translation (PAT) on DNS traffic. PAT devices often rewrite source ports to track connection state, thus negating the effect of any randomisation implemented by DNS.
Organisations should consider outsourcing DNS management. DNS can be inherently complex and requires considerable effort to maintain securely. Services are commercially available and can increase service availability and security of DNS Resolvers.