DNS security is essential for any organization. We need to protect it as much as we can so the company’s regular work does not get affected in any way. Here we have a list of DNS best practices to do it.
Make available only the most necessary. Not everything should be available to the public. You could have private domain names. You should limit the access.
Make all internal DNS servers to be authoritative. You don’t need to allow recursive searches to happen on your DNS network and waste the use of those servers.
Guarantee availability. Having just a single authoritative nameserver is not enough. You need to think about redundancy. There are different methods to do so, with multiple DNS servers. Think about where do you need the DNS server. The closer you put DNS servers to the clients, the faster the DNS resolution will be. More is better here.
Hide the primary servers. The primary server or servers is where you keep the master DNS zone with all the DNS records. This server should be hidden, so nobody knows about it and tries to attack it. Only those who administrate it could know about it and have access.
Have local DNS servers. At each office, you can have a different set of nameservers. That way, you won’t rely on a single DNS server in the headquarter of the company. Your organization could use them to create load balancers.
Protect the zone transfers. You don’t want man-in-the-middle attacks where a hacker updates the DNS records with forged information. Limit the access and use TSIG (transaction signatures)
Protect the integrity of the data. There is a security extension called DNSSEC (Domain Name System Security Extensions) that can encrypt DNS communication. It is a chain of trust that stops bad actors from changing the DNS data on the way by ensuring each step of the DNS resolution.
Include DDoS protection. Many of the DNS providers offer different plans that include DDoS protection that can withstand strong traffic attacks. Such a service will include a network of several DNS servers for load balancing and special DDoS-protected servers that can handle the attack.
Monitor your DNS traffic. It is not enough to simply set up and forget about your DNS. You constantly need to monitor the network performance and see eventual threats. You can manually ping the servers to see if they are online, but better to use more advanced software for rich statistics on the situation.
Failover. Create failover triggers that will automatically activate in case of an event. If one server is down and stops responding, you can get a notification and redirect the traffic. When it comes back, it can automatically signal that it is functional again and continue its work.
Having a secure network is a heavy task, but it is a must in today’s dangerous interconnected environment. Use these best DNS practices and bullet-proof the DNS as much as you can your system. Don’t let any DNS error lead to downtime, loss of information, or phishing attacks.