RE: Securing DNS Server

["Steven Schullo" <sschullo () attbi com>]

Naman,

Unless this DMZ DNS system will provide name lookups for public clients,
you only need to ensure your public to DMZ gateway/firewall/router will
allow outbound syn connections and inbound ack connections to the DMZ
DNS box.  This will effectively limit any public system from
establishing a connection to the DMZ DNS box and will allow outbound
resolutions.  You can further limit communications by enabling traffic
on port 53 TCP/UDP and upper level ports (1024 and up).

If this system will be providing name lookups for public clients, you
will have to open up UDP/TCP 53 inbound as well.  This will open you up
to potential DNS attacks. 

Best practice dictates that the DMZ DNS box be completely separate from
internal DNS.  IF this is the case, the DNS table should be somewhat
basic and easy to recreate.  This box should have root hints on it or
forwarders set up for non-authoritative name resolution.

Hope this helps.

Steven L. Schullo, CISSP, MCSE, CCNA
(469) 855-3228
mailto:sschullo () attbi com




-----Original Message-----
From: Naman Latif [mailto:naman.latif () inamed com] 
Sent: Monday, November 04, 2002 2:59 PM
To: Michael Vaughan; security-basics
Subject: RE: Securing DNS Server


You are right for most of your assumptions. We do have an internal DNS
server, which is Primary for all the users. No user has access to the
DMZ DNS Server. Also the Internal DNS server is NOT accessible from
outside. However the internal DNS server has the DMZ DNS server as its
forwarder. So if an internal user query cannot be resolved by the
internal DNS server, it is forwarded to the DMZ DNS Server.This is where
my questions is, 
1. If the DMZ DNS server needs to contact some external (root)server for
resolving the query, then how do I control that ?

Regards \\ Naman


> -----Original Message-----
> From: Michael Vaughan [mailto:list () predator-hunter com]
> Sent: Monday, November 04, 2002 12:50 PM
> To: Naman Latif; 'security-basics'
> Subject: RE: Securing DNS Server
>
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Folks,
>
> If I am not mistaken, the DNS server in the DMZ should be a SECONDARY
> IE: a non-writable database.  Furthermore, the DNS server on
> your internal network should be the primary giving ONLY 
> appropriate information regarding the location of external 
> services. IE: not allowing DNS zone transfers except from 
> specific servers...etc. 
> Essentially, the external DMZ server services external 
> requests for resolving services offered in the DMZ ONLY and 
> the internal DNS server (Primary) offers services to internal 
> clients for resolving outside sites & services.  My question 
> is why would you be allowing ANY outgoing connections from 
> your DMZ DNS server to external root servers other than what 
> is on your site? If you have other services located at other 
> locations...you can add those to the DNS manually or through 
> zone transfer. I would propose that the DMZ DNS server should 
> ONLY resolve your DMZ services and no one else's. IE: Why 
> would I want someone using my DNS server externally to 
> resolve yahoo? Basically I am saying that if the service can 
> not be resolved externally to your site(s) then it should 
> fail. Your internal DNS server would service all of your 
> internal clients and would not be accessible from external 
> sources period.  There are notable exceptions depending on 
> your requirements but am I missing the point of your 
> question?  I am assuming you have a DMZ and you are in NO WAY 
> allowing anyone to connect to your internal network directly. 
>  Is that correct?
>
>
> - -Michael Vaughan
> mvaughan () predator-hunter com
> http://www.predator-hunter.com
>
> The information contained in this message may contain
> privileged and confidential information and is intended only 
> for the internal company use of the individual or entity 
> named above.  If the reader of this message is not the 
> intended recipient, or the employee or agent responsible to 
> deliver it to the intended recipient, you are hereby notified 
> that any examination, distribution or copying of this 
> communication is strictly prohibited.  Furthermore, any and 
> all recipients of this message are prohibited from engaging 
> in the unauthorized dissemination of the information 
> contained herein to
> person(s) outside the company.   If you have received this
> communication in error, please notify sender immediately. 
>
> - -----Original Message-----
> From: Naman Latif [mailto:naman.latif () inamed com]
> Sent: Friday, November 01, 2002 7:31 PM
> To: security-basics
> Subject: Securing DNS Server
>
> Hi,
> I am trying to restrict Access to our DNS Server from Outside
> using a Cisco IOS Firewall. Initially we only had Port 53 
> Access to this Server from outside. But it turned out that 
> when our DNS Server has to query a root name server, it sends 
> out a UDP query with a random higher (>1023) source port 
> number, which means that I will have to open >1023 Ports 
> access to this server from outside. In this situtation How do 
> I protect my DNS server from outside attacks on higher port 
> numbers ? Is there a range of Source Port numbers that a BIND 
> DNS server would use, when querying outside servers ?
>
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: PGP 7.0.4
>
> iQA/AwUBPcbdZuqV6OTyHFF7EQJoPgCgxyxV0964WY3BFQAuj6VxxzXpZ3QAoKNc
> zjic3/Q9TAzAe8FYYqGSt66i
> =oLS0
> -----END PGP SIGNATURE-----