As with all types of Internet servers, DNS servers are also targeted by hackers.
The implications can be quite serious, but the good news is that you can protect yourself better by running Simple DNS Plus compared to trusting your ISP's DNS servers.
There are several security issues with DNS, but Simple DNS Plus addresses them all:
DNS Spoofing
DNS Spoofing is the act of "injecting" false data into the cache of a DNS server causing it to serve this false data to its clients.
Hackers may do this simply to prevent someone from accessing the Internet (making a DNS server appear to malfunction), but intentions can be much more malicious and the effects far more serious.
For example by "injecting" false MX-records (Mail exchange), a hacker could actually re-route e-mails intended for a company's client or vendor to himself. If the hacker also forwards (relays) the e-mails to the correct destination, this might continue undetected for as long as the hacker cares.
Or with an "injected" A-record (for example www.bank.com = IP 1.2.3.4) and a cloned web-site for www.bank.com, a hacker could get your pin code, password, credit card number etc.
There are two methods a hacker can use to do this:
1) Sending additional false records in a standard DNS response.
You can prevent Simple DNS Plus from accepting these false records by enabling the "Prevent DNS spoofing" security option (See Options dialog / DNS Security section).
This is an option only because it can slow down resolving external domain names a bit.
2) Some DNS servers use consecutive request ID numbers, making it possible for a hacker to "guess" the next ID and then impersonate another server.
Simple DNS Plus uses random request ID numbers, so this is not an issue.
Port Scanners
A hacker may use a software utility known as a "port scanner" to search for potential targets. This software sends dummy requests to a range of IP addresses on different service ports simply to register which addresses/ports respond.
Any addresses/ports that responded will then be probed further for possible vulnerabilities.
Simple DNS Plus has a special "stealth" option which makes it invisible to such port scanners, by not responding to a DNS request unless it is for data in local zones or originates from a client offered recursion.
See Options dialog / DNS Recursion section.
Many of these port scanners and other hacking utilities are known to send network packets originating from port zero.
A normal DNS client or server would never do this, so such a packet is a strong indication that a hacker is at work.
Simple DNS Plus can detect this and ignore such packets to avoid attracting further attention from the hacker.
See Options dialog / DNS Security section / "Ignore UDP packets originating from port zero".
Telnet connections
Hackers sometimes use a simple telnet client to connect to open server TCP ports, to see if they can get some type of response or perhaps crash the server by sending it junk data.
Simple DNS Plus can often detects such connections, close them down, and log the event.
Some Internet protocols (including HTTP, SMTP, and POP3) are transmitted in clear text and experienced users can communicate directly with such servers with a simple telnet client.
However the DNS protocol is transmitted in binary format and cannot be accessed like that.
See Options dialog / DNS Security section / "Detect and close Telnet connections.".
Zone Transfers Zone transfers are intended for use by secondary DNS servers to synchronize with their primary server.
But you can also request a zone transfer using a number of different tools (like the Look Up function in Simple DNS Plus), which will basically list all the records contained in a zone.
This is great for troubleshooting, but you may not want to expose all the data in your zones to strangers like this.
Hackers could use this to find out what other servers you are running - and with this information launch other types of attacks.
Zone transfers also require considerably more bandwidth and CPU cycles compared to regular DNS requests.
You can specify which IP addresses are allowed to request zone transfers for each zone in the Zone Properties dialog under the "Zone Transfers" tab, and in the Options dialog / Zone transfers section.
DNS Recursion
Internet users (other than your own users) may try to take advantage of your DNS server.
For example if someone feels that their ISP's DNS server is too slow - they might just use another one - like yours.
New Internet users quickly learn this "trick" through chat groups etc., and it actually happens quite often.
Many ISPs and companies "offer" this service free of charge without even realizing it. This of course consumes additional bandwidth and CPU cycles.
If you do not host any domain names, you could prevent this simply by blocking incoming DNS requests on your firewall, or configure Simple DNS Plus to only listen for DNS requests on a private IP address (see Options dialog / DNS requests section).
However, if you are hosting one or more domain names, you must allow other DNS servers access to your DNS servers.
The difference between Internet users and other DNS servers is "recursion".
Client applications (users) need the DNS server to perform recursion (fully resolve domain names into IP addresses), whereas other DNS servers perform the recursion themselves.
By specifying only the IP addresses of your own users in the Options dialog / DNS Recursion section, you can effectively block "foreign" users, and at the same time allow other DNS servers to send requests for the domain names your are hosting.
Denial of service (DOS)
This is a very simple (yet effective) method of "hacking".
By sending your servers an extreme amount of requests and basically using up all your bandwidth or processing power, a hacker can effectively prevent users and customers from accessing your services.
Simple DNS Plus has an IP Address Blocking function, which can automatically detect such attacks (specifically directed against the DNS server), and ignore the traffic.
The traffic will still use some of your bandwidth, but Simple DNS Plus won't send replies (which would increase the problem) and won't use up the processing power of the machine it is running on.
Another variant of "DOS" is establishing a lot of TCP connections using up all the resources of the target system.
Simple DNS Plus has an option to limit the maximum number of simultaneous inbound TCP connections (Options dialog / DNS Security section).
DOS attacks are difficult to prevent completely, but if the hacker doesn't succeed in bringing down your systems, he might just look elsewhere.
BIND version requests
Since many Internet DNS servers are running BIND (a Unix DNS server), hackers often initiate an attack by sending a special request for the BIND software version number.
They can then compare the response with a list of known vulnerabilities for that particular BIND version and launch the actual attack.
Simple DNS Plus can be configured to respond to these BIND version requests with a text string of your choice (for example: "Sorry - no BIND vulnerabilities here!") by enabling the "Respond to BIND version requests" option in the Options dialog / DNS security section.
A warning is always logged for BIND version requests.
On Windows NT/2000/XP/2003, you can test by entering the following at a command prompt:
NSLOOKUP -class=CHAOS -type=TXT version.bind <dns-server-ip-address>
DNS Forwarding
When you enable forwarding, you basically inherit any security issues of the DNS servers you are forwarding to.
So make sure those DNS servers are also configured securely - or don't forward to them.
Dynamic DNS updates / IP spoofing
If your Simple DNS Plus server is accessible from the Internet, and you enable standard dynamic updates for any zone (in the zone properties dialog) make sure to specify that only local IP addresses are allowed to send update requests, and that your router or firewall filters out any spoofed IP packets coming from the Internet claiming to be from those IP addresses.
Most routers by default filter out any inbound IP packets claiming to be from the standard private IP address ranges (192.168.x.x / 172.16.x.x / 10.x.x.x).
If this is not filtered by the router, a hacker may be able impersonate a trusted local computer by spoofing the origin IP address of the DNS packets, giving him access to change your DNS records.
If you want to receive dynamic updates across the Internet, make sure to use TSIG authenticated updates only (DNS Records Windows -> Tools menu -> TSIG dynamic updates).
Failover
Unlike most other Internet server types/protocols, DNS actually has failover functionality built into the protocol itself.
If you have 2 or more DNS servers hosting the same domain name and one of those DNS servers are down, other DNS servers will automatically try all of your DNS servers in turn until they get a response. The only requirement for this to work is that all your DNS servers are listed in the domain registration for each domain name.
It is easy to run one or more secondary DNS servers with Simple DNS Plus using the Master/Slave functionality - see Options dialog / DNS - Master/Slave section.
To failover protect other services (such as your web-site), you can use Simple Failover - see http://www.simplefailover.com
