How to Protect DNS Server from Attacks ?

Questions ArchiveCategory: NetworkHow to Protect DNS Server from Attacks ?
Khaled Madany asked 6 months ago

Dear 
       First i want to thank you about the steps which help me a lot to migrate successfully to 2012.
My Question is how to protect DNS server from any attacks or C & C , i have almost 300 users total , i already installed AV .
I check with some company and i find something like Infoblox , Cisco Umbrella (Cloud Base) which need to put they IP on my DNS forwarder so any query it will foreword to there cloud scan and check then if it is clear it will pass or block .
I need you opinion about that or any other suggestion from your experience .
Note that these type of solutions is little expensive.
 
Thanks a lot for cooperation    

1 Answers
Hassan Aboul Hassan answered 4 months ago

Hi Khaled, I am very happy you have migrated successfully. and thank you for your questions.
Just I want to know a little bit about your network architecture what services and applications you use? are you always connected to the internet? what network devices you are using?
Why you want to protect the DNS? have you been attacked before? if yes, what type of attack?
You said you installed an AV, if you mean antivirus then this is not related to DNS protection.
You have to implement DNSsec and DHCP name protection if you have DHCP on windows, its a configuration which is free, this is the basic level. but if you want to know to advanced protection, then you can install a hardware firewall, IPS, or IDS, and get the help of the companies you mentioned is also a solution but yes it’s expensive.
DNS attacks are several, we cache poisoning, DDOS, masquerading mappings. and so on.
Check this article.
and this

As you may know, in the security field there is nothing called enough, implementing DNSsec can add another layer of security so to achieve higher protection.
Note about DNSsec: If you publish DS records in the tld zone and your public nameservers do not support DNSSEC then your records will fail validation.
Also here is an important article to read about DNSsec performance:
https://labs.apnic.net/?p=341

Looking at your network, in general, I think you are doing a good job in protecting.
But as Khalid said first if you want to improve security more and more, it will be more expensive.
So If you have a limited budget, just go for more configuration, make sure you firewall device has appropriate resources, apply DNSsec. and monitor your network.
Also, you can try to attack your network with Some DDoS attacks to test if you want.
Dnssec guide:
Check this link.
And this
And this
These are step by step guides. please if you feel you are facing some problems, I will be waiting for you here. don’t worry