Mitgation Option

DNS was designed to manage meta-information for network addresses. It was designed for speed, flexibility, and scalability but not security; it offers no authentication mechanisms and assumes all queries are trustworthy. As such, there are few options to mitigate DNS risks. The main approaches for securing DNS rely on server-specific configurations, defined trust, and alternate resolution methods.

Most DNS mitigation options rely on security-by-obscurity and patching. Basic preventative measures include direct, technical, reconnaissance, and social threat mitigation.

Direct Threat Mitigation

Basic maintenance and network segmentation can limit the impact from direct threats:

• Patch: Exploits and enhancements for DNS servers are released regularly. DNS servers and their host platforms should be regularly patched and maintained.
• Separate Internal and External Domains: DNS servers should be separated. Large networks should consider dividing servers between internal network segments. This limits the impact from any single corrupt server and divides the DNS workload.
• Restricted Zone Transfers: Zone transfers can be restricted to specific hosts and identified by network address or hardware address. This approach is vulnerable to MAC and IP impersonation attacks but does provide protection against arbitrary hosts requesting zone transfers.
• Authenticated Zone Transfers: Using digitally signed and authenticated zone transfers can reduce the risk from zone transfer interception and poisoning.
• Limit Cache Durations: Reducing cache durations below the values specified in the DNS replies shortens the vulnerability window from cache poisoning.
• Reject Mismatched Replies: If a caching DNS server receives multiple replies with different values, the entire cache should be flushed. Although this negatively impacts cache performance, it eliminates the risk from long-term cache poisoning.