Networking / Beginners

Technical Threat Mitigation

Technical risks require preventative measures for the network, host, and local environment:

Harden Servers: Restricting the number of remotely accessible processes limits the number of potential attack vectors. Hardened servers have a lower threat profile from technical attacks.
Firewall: Placing a hardware firewall in front of a DNS server limits the number of remote attack vectors.

Reconnaissance Threat Mitigation

The threat from an attacker performing reconnaissance can be limited by the information provided. Although DNS cannot be completely disabled, the type and amount of information available can be restricted:

Limit Zone Transfers: Zone transfers should be restricted to authenticated hosts only. Although this does not prevent brute-force host lookups, it does hinder reconnaissance.

Set Request Limits: Limit the number of DNS requests that can be performed by any single network address. Although not preventing brute-force domain listings, this does introduce an obstacle.

Remove Reverse Lookups: If reverse lookups are not essential, then remove them. This limits the impact from brute-force domain listings.

Separate Internal and External Domains: DNS servers should be separated, ensuring that LAN information remains in the LAN. In particular, internalonly hostnames should not be externally viewable.

Remove Excess Information: TXT, CNAME, and HINFO information that is not directly applicable to external users should be removed. If an external visitor does not need to see the HINFO data for a host, then the data should not be accessible.

Hide Version: For DNS servers that permit local login or remote status reports, the version of DNS may be disclosed. Because different versions correspond with different explicit exploits, the version should be modified to report false information, or removed altogether.
[Previous] [Contents] [Next]

In this tutorial:

  1. Domain Name System (DNS)
  2. DNS Common Uses
  3. Hostname-to-Address Mapping
  4. Common Lookup Tools
  5. Naming Confusion Attack Vectors
  6. Dotted Names
  7. Name Formatting
  8. Exploited Anonymity
  9. Mail Servers
  10. Sender Policy Framework Overloading
  11. Domain Keys Overloading
  12. DNS Protocol
  13. Packet Information
  14. Simple DNS Server
  15. Distributed Architecture
  16. Top Level Domain Servers
  17. Generic Top Level Domain (gTLD)
  18. Secondary Level Domain (SLD)
  19. Primary and Secondary Servers
  20. Caching Servers
  21. DNS Management
  22. DNS Direct Risks
  23. DNS Performance versus Security
  24. DNS Cache Poisoning
  25. Corrupt DNS Packets
  26. DNS Domain Hijacking
  27. DNS Server Hijacking
  28. Dynamic DNS
  29. Similar Hostnames
  30. Domain Renewals
  31. Hostnames
  32. Zone Transfers
  33. Host Listing
  34. DNS Fields
  35. Mitgation Option
  36. Technical Threat Mitigation
  37. Social Threat Mitigation
  38. Defining Trusted Replies