How to secure your server
Copyright © 1999-2008 JH Software ApS
How to secure your server |
Simple DNS Plus v. 5.0 Copyright © 1999-2008 JH Software ApS |
|
As with all types of Internet servers, DNS servers are also targeted by hackers.
The implications can be quite serious, but the good news is that you can protect yourself better by running Simple DNS Plus compared to trusting your ISP's DNS servers.
There are several security issues with DNS, but Simple DNS Plus addresses them all:
DNS Spoofing (a.k.a. Cache Poisoning)
DNS spoofing is the act of injecting false data into the cache of a DNS server causing it to serve this false data to its clients.
This is done by tricking a DNS server into accepting a false DNS response and caching the false DNS record in this.
Hackers may try to do this simply to prevent someone from accessing the Internet (making a DNS server appear to malfunction), but intentions can be much more malicious and the effects far more serious. For example, by injecting false MX-records, a hacker could re-route e-mails intended for a company's client or vendor to himself. If the hacker also forwards the e-mails to the correct destination, this might continue undetected for as long as the hacker cares. Or with an injected A-record (for example, www.bank.com = IP 1.2.3.4) and a cloned web-site for www.bank.com, a hacker could get your pin code, password, credit card number etc. (a good reason to check that such web-sites use a valid SSL certificate).
Simple DNS Plus has several automatic features to prevent DNS spoofing:
1) It only accepts DNS responses matching DNS requests that it itself sent (same request ID, query name, and query type) and which it has not yet received a response to.
This makes it impossible to make Simple DNS Plus cache a response for something that it did not request.
2) It automatically filters out any DNS records in received DNS responses for which the sending DNS server is not authoritative.
This protects against simple DNS spoofing where the false DNS records are included in otherwise normal DNS responses.
3) It uses random request IDs.
This makes it impossible to predict the next request ID and use that for impersonating other DNS servers.
4) It queues duplicate requests (same query name and query type) so that each request is not processed before the previous request has been fully resolved.
Besides from making the software more efficient, this also prevents so-called birthday attacks.
In such an attack, the hacker tries to guess an outbound request ID (for impersonating another DNS server) by sending many identical recursive requests very quickly.
However with Simple DNS Plus, that strategy won't improve the hackers chances (increase the risk), because when the second and following requests are de-queued and processed, these will be served from the cache and won't cause any outbound requests to resolve.
Additionally we recommend that you:
1) Enable "Only accept DNS responses from the IP address that request was sent to" in the Options dialog / DNS / Miscellaneous section (this is enabled by default).
This makes it harder for hackers to impersonate other DNS servers.
2) Limit DNS recursion to your own IP range(s). See Options dialog / DNS / Recursion section.
This makes it much harder for anyone on the outside to provoke Simple DNS Plus into doing a recursive DNS lookup at a predictable time and use this to impersonate other DNS servers.
Internet users (other than your own users) may try to take advantage of your DNS server.
For example, if someone feels that their ISP's DNS server is too slow - they might just use another one - like your's.
This actually happens more frequently than most people would think.
Many ISPs and companies "offer" this service free of charge without even realizing it. This of course consumes additional bandwidth and CPU cycles.
If you do not host any domain names, you could prevent this simply by blocking incoming DNS requests on your firewall, or configure Simple DNS Plus to only listen for DNS requests on a private IP address. See Options dialog / DNS / Inbound Requests section.
However, if you are hosting one or more domain names (primary or secondary), you must allow other DNS servers access to your DNS servers.
The difference between Internet users and other DNS servers is recursion.
Client applications (users) need the DNS server to perform recursion (fully resolve domain names into IP addresses), whereas other DNS servers perform the recursion themselves.
By specifying only the IP addresses of your own users in the Options dialog / DNS / Recursion section, you can effectively block "foreign" users, and at the same time allow other DNS servers to requests data for domain names that your are hosting.
A hacker may use a utility program to search for potential DNS server targets. This software sends dummy DNS requests to a range of IP addresses simply to register which IP addresses respond. Any IP address that responds will then be probed further for possible vulnerabilities.
Simple DNS Plus has a special "stealth" option which makes it invisible to such scanners, by not responding to a DNS request unless it is for data in local zones (primary or secondary) or originates from an IP address that is offered recursion.
See Options dialog / DNS / Lame Requests section.
Zone transfers are intended for use by secondary DNS servers to synchronize with their primary server.
But you can also request a zone transfer using a number of different tools (like the Look Up function in Simple DNS Plus), which will list all the records contained in a zone.
This is great for troubleshooting, but you may not want to expose all the data in your zones to strangers like this.
Hackers could use this to find out what other servers you are running - and with this information launch other types of attacks.
Zone transfers also require considerably more bandwidth and CPU cycles compared to regular DNS requests.
You can specify which IP addresses are allowed to request zone transfers for each zone in the Zone Properties dialog under the "Zone Transfers" tab, and in the Options dialog / DNS / Zone transfers section.
This is a very simple (yet effective) type of attack - typically done via "drone computers" / "bot networks".
By sending your server(s) an extreme amount of requests which basically use up all your bandwidth and/or processing power, a hacker can effectively prevent valid users and customers from accessing your services.
Simple DNS Plus has an IP Address Blocking function, which can automatically detect such attacks (specifically directed against the DNS server), and ignore subsequent traffic from the hacker's IP address.
The traffic will still use some of your bandwidth, but Simple DNS Plus won't send replies (which would increase the problem) and won't use up the processing power of the machine it is running on.
Another variant of "DoS" is establishing a lot of TCP connections using up all the resources of the target system.
Simple DNS Plus has an option to limit the maximum number of simultaneous inbound TCP connections (Options dialog / DNS / Inbound Requests section).
The hacker will still be able to use up all these TCP connections and prevent anyone else from making TCP connections to Simple DNS Plus, but at least he won't exhaust system resources and crash Simple DNS Plus and other programs.
DoS attacks are difficult to prevent completely, but if the hacker doesn't succeed in bringing down your systems, he will probably move on to another victim.
Since many Internet DNS servers are running BIND (a Unix/Linux based DNS server), hackers often initiate an attack by sending a special request for the BIND software version number.
They can then compare the response with a list of known vulnerabilities for that particular BIND version and launch the actual attack.
Simple DNS Plus can be configured to respond to these BIND version requests with a text string of your choice (for example: "Sorry - no BIND vulnerabilities here!") by enabling the "Respond to BIND version requests" option in the Options dialog / DNS / Miscelanneous section.
A warning is always logged (Active Log View and log files) for BIND version requests.
You can test this using the "BIND version" lookup type in the DNS Look Up tool included with Simple DNS Plus.
When you enable forwarding, you basically inherit any security issues of the DNS servers you are forwarding to.
So make sure those DNS servers are also configured securely - or don't forward to them.
Many new users think they need to configure Simple DNS Plus to forward DNS requests to their ISP's DNS servers in order to resolve DNS.
This is a complete misconception - Simple DNS Plus is perfectly capable of resolving DNS all by itself.
Forwarding to your ISP just adds another step to the process, which makes it take more time resolve, and has the potential of being less secure.
Dynamic DNS updates / IP spoofing
If your Simple DNS Plus server is accessible from the Internet, and you enable standard dynamic updates for a zone (in the zone properties dialog) make sure to specify that only local IP addresses are allowed to send update requests, and that your router or firewall filters out any spoofed IP packets coming from the Internet claiming to be from those IP addresses.
Most routers by default filter out any inbound IP packets claiming to be from the standard private IP address ranges (192.168.x.x / 172.16.x.x / 10.x.x.x).
If this is not filtered by the router, a hacker may be able impersonate a trusted local computer by spoofing the origin IP address of the DNS packets, potentially giving him access to change your DNS records.
If you want to receive dynamic updates across the Internet, make sure to use TSIG authenticated updates only - see Options dialog / DNS / TSIG Dynamic Updates section.
Unlike most other Internet server types/protocols, DNS actually has failover functionality built into the protocol itself.
If you have 2 or more DNS servers hosting the same domain name and one of those DNS servers are down, other DNS servers will automatically try all of your DNS servers in turn until they get a response. The only requirement for this to work is that all your DNS servers are listed in the domain registration for each domain name.
It is easy to run one or more secondary DNS servers with Simple DNS Plus using the Super Master/Slave functionality - see Options dialog / DNS / Super Master/Slave section.
To provide failover protection for other services (such as your web-site), you can use a tool like Simple Failover - see http://www.simplefailover.com