Like any critical part of network infrastructure, securing recursive DNS requires a layered approach. All the points of entry into the system - the console(s), network, etc need to be protected.
Before we look at the types of protection we need to consider the various types of attacks against recursive DNS server infrastructure, they can be broadly categorized based on the attack target:
- DoS/DDoS attacks targeted at bringing down recursive DNS servers. These attacks max out the server processing capacity and bring down the service altogether or noticeably impair it for some set of users.
- Attacks that modify DNS data. Also known as "cache poisoning" these attacks alter data in the DNS cache so users are re-directed to fake websites that can be used for harvest personal information or cause other damage to users.
5 tips for securing recursive DNS infrastructure
In this article, we focus on the former category of attacks: protecting against DoS/DDoS attacks that can bring down or impair DNS performance.
- Set ACLs to filter out queries from clients that shouldn't be accessing your DNS. Most recursive DNS servers typically have a mechanism to set ACLs to only accept queries from users that belong to your network. By specifying the IP address ranges of clients that are allowed to query the DNS server, queries from clients that shouldn't be accessing it will be filtered. out and may be trying to bring down the caching DNS server. This is the first level of defense to DoS attacks.
- Filtering policies should also be set at the subscriber edge (such as at DSLAM for DSL networks) to ensure subscribers can't spoof an address and launch an attack on the DNS or any other network resource. There are various names for this capability but it amounts to doing a unicast reverse path forwarding (URPF) check at the edge of the network so subscribers can't spoof addresses. This prevents a whole range of attacks.
- Set policies to rate limit DNS queries, on a per subscriber basis. This is a feature of some DNS servers. If it's not available on your DNS server it may be possible to enforce DNS rate limiting policies in the network security infrastructure.
- When a DNS query can't be answered from the cache, a recursive lookup needs to be performed to go and get an answer from the proper authoritative server on the Internet. Several DoS attacks query for random domains, which are not in the cache, to force the DNS server to do a lot more work. Increasing the number of recursion contexts in the DNS can be used to temporarily "absorb" attacks that try to max out the recursion contexts. This also provides a longer time window to mitigate the attack.
- Last but not least, it's important to periodically monitor and define alerts to get an automatic notification if there is a sudden spike in DNS queries or recursion contexts above the normal values. Attacks often show up in these "spikes" and early detection of the problem is the first step to mitigation.