|Description||Protect DNS Servers:
ISPs should protect their DNS servers from DNS spoofing attacks and take steps to ensure that compromised customer systems cannot emit spoofed traffic (and thereby participate in DNS amplification attacks). Defensive measures include:
(a) managing DNS traffic consistent with industry accepted procedures;
(b) where feasible, limiting access to recursive DNS resolvers to authorized users;
(c) blocking spoofed DNS query traffic at the border of their networks, and
(d) routinely validating the technical configuration of DNS servers by, for example, utilizing available testing tools that verify proper DNS server technical configuration.
|Industry Role(s)||Service Provider|
|Keyword(s)||Cyber Security;Encryption;Intrusion Detection;|
|Reference/Comments||Widely accepted DNS traffic management procedures are discussed in the following document:
Security issues on recursive resolvers are discussed in IETF BCP 140/ RFC 5358. Responses to spoofed traffic, including spoofed DNS traffic, are discussed in IETF BCP 38/RFC 2827.
Some tools examining different aspects of DNS server security include:
http://dnscheck.iis.se/, http://recursive.iana.org/, and https://www.dnsoarc.net/oarc/services/dnsentropy. More information on DNS security issues can also be found at: http://www.iana.org/reports/2008/cross-pollination-faq.html
Note that the Best Practices in this grouping are primarily aimed at ISPs that provide service to consumer end-users on residential broadband networks, but may be applicable to other users and networks as well.