HNS MAIN FEED
Thursday, 18:48 EDT
- Android wallpaper app stealing user data and sending it to China
- Black Hat USA 2010: A recession proof conference?
- Apple improves App Store security
- ATMs hacked and spitting up money at Black Hat
- Trojan masquerades as iPhone jailbreaking software
- Authentication management platform for any and every authentication factor
- Google has two times more malware than Bing, Yahoo! and Twitter combined
- New assurance mark of software application security
- Sourcefire's open source framework for deep threat inspection
- 100 million Facebook pages published on torrent site
- Cell-phone call interception demonstration at Defcon might not be a sure thing
- Critical ToolTalk Database Server Parser vulnerability discovered
Best practices for DNS security
Securing the DNS must be a priority because it is so central to the proper functioning of every IP network. Employing the best possible protections for the DNS will pay huge dividends over time. The good news is that it is not hard. Most of the essential groundwork should be covered with standard IT processes for securing critical systems. The rest is simple due diligence.
Below is a checklist of best practices that will not only ensure the best DNS security, but also the best performance, and best availability. Best of all operations will be simplified too.
1. Demand built-in layered defenses for the DNS. Priority one is employing multiple defenses against cache poisoning. How much of your IT infrastructure is protected with a single defense? Why would you be comfortable protecting the DNS with just one defense? It is one of the most attractive targets in the network because compromise is so insidious. Are you willing to risk having your corporate secrets sent to a competitor? Transparent redirection of network traffic caused by cache poisoning can wreak havoc with email. As with every other IT system layered defenses for the DNS ensure that if one defense is compromised others stand in the way of a success for the attacker.
2. Deploy DNS servers optimized for their respective functions. Merely separating caching and authoritative functions is insufficient. Caching and authoritative servers are susceptible to different kinds of attacks, and protections for each are different. With purpose built software it is simple to deploy optimized protections for each platform (in fact defaults for each will already be optimal in most cases). As a bonus, performance of purpose built platforms will be better, and operational processes can be tailored for each, overall configuration management will be simpler and each platform will be more reliable.
3. Optimize the configuration of purpose built DNS servers. Restricting access to caching servers exclusively to authorized users is a natural fall out of deploying a purpose built caching server. The caching configuration can easily be “closed” to the defined user base (IP address range(s)). At the same time, on the authoritative side zone transfers can easily be restricted to authorized secondary name servers while keeping the server “open” for queries from the Internet. Both configurations can be optimal, maximizing security, without conflict between the configurations.
1 | 2 | Next page >>
- A closer look at Panda Cloud Antivirus Free Edition
- Q&A: Strong authentication
- Secure by design
- Q&A: Sandbox for Adobe Reader
- Can you trust a product that doesn't have the right certification?
