Domain Name System (DNS) Servers
The Domain Name System (DNS) is a distributed database of IP address-to-name translations.
When you type in a web site address or URL such as www.cisco.com, the first thing that happens is that this easy-to-use name gets converted into an IP address. The server is known on the network by its IP address, not by its name. It is easier for users to remember www.cisco.com than 192.168.10.12. This is the main reason that DNS was implemented, but there are other benefits of using a name-resolution service. One of these is round-robin load balancing, where one domain name can be translated to more than one IP address. For example, you could register www.mydomain.com to 192.168.0.1 and 192.168.0.2. Both of these could be Web servers serving the Mydomain.com web site. Users accessing www.mydomain.com from their Web browsers would get either of the Web servers in a round-robin fashion. This provides load balancing and a simple form of fault tolerance.
Another use of DNS is in e-mail. You can set what is called a mail exchange (MX) record for any particular domain. SMTP, when sending e-mail between e-mail servers, first does a DNS lookup for the destination domain. For example, if a user sends an e-mail to [email protected], the user's SMTP server tries to resolve the domain name mydomain.com and locate the MX record for that domain. The MX record points by IP address to a server or group of servers that serve Internet e-mail for the domain. The user's SMTP server then sends the message to the IP address represented by the mydomain.com MX record.
DNS is described in RFC 1035 and RFC 1706.
Threats Posed to DNS Servers
DNS operates over port 53, using both UDP and TCP as the transport layer protocol. Client name requests are carried out over UDP port 53, and domain zone transfers are carried out over TCP port 53. Zone transfers occur between the primary and secondary DNS servers. Updates are carried out on the primary server, and these changes get replicated down to the secondary servers.
The obvious threats that appertain to DNS servers are DoS attacks and network intrusion.
Internet clients require DNS servers to resolve the domain name to the IP address of the server they are trying to connect to. Attackers can either use a DoS attack against the server to deny access from other DNS servers and clients, or they can infiltrate the server and change the DNS information.
For example, www.mydomain.com could have a DNS entry of 194.73.134.10; an attacker could change this to 195.195.195.195, which points to a different web site, thus redirecting all traffic away from the Mydomain.com web site.
Because of the way DNS works and gets cached all over the Internet, the attack would have to be very prolonged—more than 48 hours at least—before any real effect would be noticed.
Solutions to the Threats to DNS Servers
The easiest way to protect a DNS server is to place it behind a firewall device and limit access to only TCP and UDP port 53. This allows the DNS service to function correctly and disallows any other access to the operating system or port advertising applications running on the server.
Configuration Recommendations for DNS Servers
Using the Cisco Secure PIX Firewall, the following commands allow DNS traffic to the DNS server with an internal address of 192.168.0.12/24 and provide static translation to the public address of 194.73.134.12/24. This is based on Figure 11-3:
static (inside, outside) 194.73.134.12 192.168.0.12 netmask 255.255.255.255 0 0 conduit permit tcp host 194.73.134.12 eq domain any conduit permit udp host 194.73.134.12 eq domain any