Technical Threat Mitigation

Technical risks require preventative measures for the network, host, and local environment:

Harden Servers: Restricting the number of remotely accessible processes limits the number of potential attack vectors. Hardened servers have a lower threat profile from technical attacks.
Firewall: Placing a hardware firewall in front of a DNS server limits the number of remote attack vectors.

Reconnaissance Threat Mitigation

The threat from an attacker performing reconnaissance can be limited by the information provided. Although DNS cannot be completely disabled, the type and amount of information available can be restricted:

Limit Zone Transfers: Zone transfers should be restricted to authenticated hosts only. Although this does not prevent brute-force host lookups, it does hinder reconnaissance.

Set Request Limits: Limit the number of DNS requests that can be performed by any single network address. Although not preventing brute-force domain listings, this does introduce an obstacle.

Remove Reverse Lookups: If reverse lookups are not essential, then remove them. This limits the impact from brute-force domain listings.

Separate Internal and External Domains: DNS servers should be separated, ensuring that LAN information remains in the LAN. In particular, internalonly hostnames should not be externally viewable.

Remove Excess Information: TXT, CNAME, and HINFO information that is not directly applicable to external users should be removed. If an external visitor does not need to see the HINFO data for a host, then the data should not be accessible.

Hide Version: For DNS servers that permit local login or remote status reports, the version of DNS may be disclosed. Because different versions correspond with different explicit exploits, the version should be modified to report false information, or removed altogether.