Home
Tech info
Technology
Science
Life
Application
Electric
Program
Mobile
Windows 10
Windows 1110 DNS security measures
Domain name system (DNS) is used to identify server names to IP addresses on the Internet and on a TCP / IP platform.
Network administration - Domain name system (DNS) is used to identify server names to IP addresses on the Internet and on a TCP / IP platform. DNS servers are often targets that hackers exploit and attack, but you can also secure these servers with some of the following methods:
1. Use the DNS Forwarder
A DNS Forwarder is a DNS server that performs DNS queries on behalf of many other DNS servers. The DNS Forwarder is used to remove processing tasks from DNS servers that are forwarding these queries to the Forwarder, and increase the DNS cache traffic on the DNS Forwarder.
10 DNS security measures Picture 1 Another function of the DNS forwarder is to prevent the forwarding DNS server from requesting interactions with Internet DNS servers. This is a particularly important function since the DNS server contains resources within the DNS domain. Instead of allowing internal DNS servers to manually execute commands and contact other DNS servers, it configures the internal DNS server to use a Forwader for all non-authorized domains.
2. Use hosting DNS server
A DNS hosting server is a DNS server that cannot delegate to any DNS domain. It is configured to perform a callback or use a forwarder. When this server receives a response, it saves the result and passes the answer to the system that sends the DNS query to the hosting DNS server. Then, this server can gather multiple DNS responses that significantly reduce the response time for DNS servers of hosted DNS servers.
Storage DNS servers can improve company security when used as a forwarder in your administrative tools group. Internal DNS servers can be set up to use the hosting DNS server as their converter, and the hosting DNS server performs a callback instead of the internal DNS server. Using DNS servers to host them as forwarders can improve security because you don't have to rely on the vendor's DNS servers to be used as a forwarder when you don't trust the security settings. Their DNS server.
3. Using DNS Advertiser
A DNS advertisiser is a DNS server that queries for domains where the DNS Advertiser is authorized. For example, if you store resources for domain.com and corp.com, the public DNS server will be configured with the DNS file area for domain.com and corp.com domains.
The difference between a DNS Advertiser and a DNS server that contains a DNS file area is that the DNS Advertiser responds to queries from the domain name it assigns. The DNS server will not recall the query sent to other servers. This prevents users from using public DNS servers to handle multiple domains, and increases security by reducing the risks of running public DNS Resolutions (caching damage).
4. Use DNS Resolver
The DNS Resolver is a DNS server that can recall commands to process names for domains not authorized by the DNS server. For example, you can use a DNS server that is authorized on the local network for the internal network domain internalcorp.com. When a workstation on the network uses this DNS server to name quantrimang.com, that DNS server will recall the command by retrieving the results on other DNS servers.
The difference between this DNS server and the DNS resolver is that the DNS Resolver is used to name the Internet server. Resolver can be a cached DNS server that is not authorized for any DNS domain. Admin can only allow internal users to use DNS Resolver, or only allow external users to use it to provide security when using an external DNS server out of admin's control, and may allow Internal users and external users access the DNS Resolver.
5. Protect DNS caching
'Pollution' DNS caching is a common problem. Most DNS servers can store DNS query results before forwarding the response to the server sending the query. DNS caching can significantly improve the ability to perform DNS queries. If caching DNS servers is 'contaminated' with many virtual DNS entries, users can be forwarded to malicious websites instead of websites intended to be accessed.
Most DNS servers can be configured to 'cache' caching. For example. The Windows Server 2003 DNS server is configured by default to prevent 'caching'. If you are using a Windows 2000 DNS server, you can install anti-pollution by opening the Properties dialog box in the DNS server, selecting the Advanced tab, and then tick the Prevent Cache Pollution check box and restarting the DNS server.
6. Connection security with DDNS
Many DNS servers allow dynamic updates. The dynamic update feature helps these DNS servers register DNS server names and IP addresses for DHCP servers that contain IP addresses. DDNS can be an effective administrative support tool while manually configuring DNS resource patterns for these servers.
However, not checking DDNS updates can cause a security issue. Bad users can configure servers to dynamically update resources on the DNS server (such as a data server, web server or database server) and navigate to the destination server to their PC. .
You can reduce the risk of having malicious DNS updates by requiring security to connect to the DNS server to update dynamically. This can be easily done by installing a DNS server using Active Directory compatible zones and requiring dynamic update security. All member domains can dynamically update DNS information after performing the installation.
7. Stop running Zone Transfer
Zone Transfer is between the primary DNS server and the secondary DNS server. The main DNS servers that are authorized for specific domains contain the DNS file area that can be written and updated as needed. The secondary DNS server receives a read-only copy of these file areas from the primary DNS server. Secondary DNS server is used to increase the ability to enforce DNS queries in an organization or on the Internet.
However, Zone Transfer is not limited to secondary DNS server. Anyone can run a DNS query configuring the DNS server to allow Zone Transfer to dump the entire database file area. Bad users can use this information to explore the name schema in the company and attack key infrastructure services. You can prevent this by configuring the DNS server to deny Zone Transfer to the request, or to configure the DNS server to allow Zone Transfer to deny the request of certain servers only.
8. Use Firewall to control DNS access
Firewall can be used to gain control over users who connect to the DNS server. For DNS servers that are only used for queries from the local workstation, the admin needs to configure the firewall to block connections from external servers to these DNS servers. For DNS servers used as storage forwarders, the firewall needs to be configured to only allow DNS queries from DNS servers used as storage forwarders. A very important firewall policy setting is to block internal users from using DNS communications to connect to external DNS servers.
9. Settings control access to DNS's Registry
On Windows-based DNS servers, access control needs to be configured in DNS server-related registry settings to allow accounts that require access to read and change Registry settings.
DNS key in HKLMCurrentControlSetServices needs to be configured to only allow Admin and access system account, in addition these accounts need to be granted Full Control.
10. Install access control to DNS file system
On Windows-based DNS servers, you should configure access control on the file system related to the DNS server so only accounts that require access to them are allowed to read or change these files.
The % system_directory% DNS directory and subdirectories that need to be installed only allow access to the system account, and the system account needs to be granted Full Control.
1. Use the DNS Forwarder
A DNS Forwarder is a DNS server that performs DNS queries on behalf of many other DNS servers. The DNS Forwarder is used to remove processing tasks from DNS servers that are forwarding these queries to the Forwarder, and increase the DNS cache traffic on the DNS Forwarder.
10 DNS security measures Picture 1 Another function of the DNS forwarder is to prevent the forwarding DNS server from requesting interactions with Internet DNS servers. This is a particularly important function since the DNS server contains resources within the DNS domain. Instead of allowing internal DNS servers to manually execute commands and contact other DNS servers, it configures the internal DNS server to use a Forwader for all non-authorized domains. 2. Use hosting DNS server
A DNS hosting server is a DNS server that cannot delegate to any DNS domain. It is configured to perform a callback or use a forwarder. When this server receives a response, it saves the result and passes the answer to the system that sends the DNS query to the hosting DNS server. Then, this server can gather multiple DNS responses that significantly reduce the response time for DNS servers of hosted DNS servers.
Storage DNS servers can improve company security when used as a forwarder in your administrative tools group. Internal DNS servers can be set up to use the hosting DNS server as their converter, and the hosting DNS server performs a callback instead of the internal DNS server. Using DNS servers to host them as forwarders can improve security because you don't have to rely on the vendor's DNS servers to be used as a forwarder when you don't trust the security settings. Their DNS server.
3. Using DNS Advertiser
A DNS advertisiser is a DNS server that queries for domains where the DNS Advertiser is authorized. For example, if you store resources for domain.com and corp.com, the public DNS server will be configured with the DNS file area for domain.com and corp.com domains.
The difference between a DNS Advertiser and a DNS server that contains a DNS file area is that the DNS Advertiser responds to queries from the domain name it assigns. The DNS server will not recall the query sent to other servers. This prevents users from using public DNS servers to handle multiple domains, and increases security by reducing the risks of running public DNS Resolutions (caching damage).
4. Use DNS Resolver
The DNS Resolver is a DNS server that can recall commands to process names for domains not authorized by the DNS server. For example, you can use a DNS server that is authorized on the local network for the internal network domain internalcorp.com. When a workstation on the network uses this DNS server to name quantrimang.com, that DNS server will recall the command by retrieving the results on other DNS servers.
The difference between this DNS server and the DNS resolver is that the DNS Resolver is used to name the Internet server. Resolver can be a cached DNS server that is not authorized for any DNS domain. Admin can only allow internal users to use DNS Resolver, or only allow external users to use it to provide security when using an external DNS server out of admin's control, and may allow Internal users and external users access the DNS Resolver.
5. Protect DNS caching
'Pollution' DNS caching is a common problem. Most DNS servers can store DNS query results before forwarding the response to the server sending the query. DNS caching can significantly improve the ability to perform DNS queries. If caching DNS servers is 'contaminated' with many virtual DNS entries, users can be forwarded to malicious websites instead of websites intended to be accessed.
Most DNS servers can be configured to 'cache' caching. For example. The Windows Server 2003 DNS server is configured by default to prevent 'caching'. If you are using a Windows 2000 DNS server, you can install anti-pollution by opening the Properties dialog box in the DNS server, selecting the Advanced tab, and then tick the Prevent Cache Pollution check box and restarting the DNS server.
6. Connection security with DDNS
Many DNS servers allow dynamic updates. The dynamic update feature helps these DNS servers register DNS server names and IP addresses for DHCP servers that contain IP addresses. DDNS can be an effective administrative support tool while manually configuring DNS resource patterns for these servers.
However, not checking DDNS updates can cause a security issue. Bad users can configure servers to dynamically update resources on the DNS server (such as a data server, web server or database server) and navigate to the destination server to their PC. .
You can reduce the risk of having malicious DNS updates by requiring security to connect to the DNS server to update dynamically. This can be easily done by installing a DNS server using Active Directory compatible zones and requiring dynamic update security. All member domains can dynamically update DNS information after performing the installation.
7. Stop running Zone Transfer
Zone Transfer is between the primary DNS server and the secondary DNS server. The main DNS servers that are authorized for specific domains contain the DNS file area that can be written and updated as needed. The secondary DNS server receives a read-only copy of these file areas from the primary DNS server. Secondary DNS server is used to increase the ability to enforce DNS queries in an organization or on the Internet.
However, Zone Transfer is not limited to secondary DNS server. Anyone can run a DNS query configuring the DNS server to allow Zone Transfer to dump the entire database file area. Bad users can use this information to explore the name schema in the company and attack key infrastructure services. You can prevent this by configuring the DNS server to deny Zone Transfer to the request, or to configure the DNS server to allow Zone Transfer to deny the request of certain servers only.
8. Use Firewall to control DNS access
Firewall can be used to gain control over users who connect to the DNS server. For DNS servers that are only used for queries from the local workstation, the admin needs to configure the firewall to block connections from external servers to these DNS servers. For DNS servers used as storage forwarders, the firewall needs to be configured to only allow DNS queries from DNS servers used as storage forwarders. A very important firewall policy setting is to block internal users from using DNS communications to connect to external DNS servers.
9. Settings control access to DNS's Registry
On Windows-based DNS servers, access control needs to be configured in DNS server-related registry settings to allow accounts that require access to read and change Registry settings.
DNS key in HKLMCurrentControlSetServices needs to be configured to only allow Admin and access system account, in addition these accounts need to be granted Full Control.
10. Install access control to DNS file system
On Windows-based DNS servers, you should configure access control on the file system related to the DNS server so only accounts that require access to them are allowed to read or change these files.
The % system_directory% DNS directory and subdirectories that need to be installed only allow access to the system account, and the system account needs to be granted Full Control.
4 ★ | 1 Vote
Samuel DanielYou should read it
- 5 steps to buy old laptops
- How to invite more people to the group in PUBG Mobile
- Visualize programming for those who don't know the code
- 7 common mistakes when writing website articles
- Some new features of Access 2010
- Invite Assassin's Creed Chronicles game: China costs 265,000 VND, is free
- How to create virtual Home keys on Android phones
- Panasonic has a laptop that can withstand pressure up to 100 kg
- Fsutil command sparse in Windows
- Share Windows in Mac OS X
- How to use Televzr to watch videos from your computer on your phone
- How to Convert Html to Word
Maybe you are interested
How to change DNS for Ubuntu, Linux
How to change DNS in Windows 10, increase network speed, access blocked websites
What is DNS, basic knowledge about DNS
How to change DNS on Windows 11/10/8/7 and macOS to surf the web and speed up the network
How to change DNS on Windows 11, surf the web, watch movies faster
How to change DNS on Windows 11 to increase Internet speed
Secure remote firewall system with SSH
Use Firefox's password manager
10 measures of Apache security
Microsoft fixes 'dangerous' errors for Windows
Enterprise security features in IE 8
Hide data into a safe location - Part 1: Windows XP