Home
Tech info
Technology
Science
Life
Application
Electric
Program
Mobile
Windows 10
Windows 1110 DNS security measures
Network administration - Domain name system (DNS) is used to identify server names to IP addresses on the Internet and on a TCP / IP platform. DNS servers are often targets that hackers exploit and attack, but you can also secure these servers with some of the following methods:
1. Use the DNS Forwarder
A DNS Forwarder is a DNS server that performs DNS queries on behalf of many other DNS servers. The DNS Forwarder is used to remove processing tasks from DNS servers that are forwarding these queries to the Forwarder, and increase the DNS cache traffic on the DNS Forwarder.
Another function of the DNS forwarder is to prevent the forwarding DNS server from requesting interactions with Internet DNS servers. This is a particularly important function since the DNS server contains resources within the DNS domain. Instead of allowing internal DNS servers to manually execute commands and contact other DNS servers, it configures the internal DNS server to use a Forwader for all non-authorized domains.
2. Use hosting DNS server
A DNS hosting server is a DNS server that cannot delegate to any DNS domain. It is configured to perform a callback or use a forwarder. When this server receives a response, it saves the result and passes the answer to the system that sends the DNS query to the hosting DNS server. Then, this server can gather multiple DNS responses that significantly reduce the response time for DNS servers of hosted DNS servers.
Storage DNS servers can improve company security when used as a forwarder in your administrative tools group. Internal DNS servers can be set up to use the hosting DNS server as their converter, and the hosting DNS server performs a callback instead of the internal DNS server. Using DNS servers to host them as forwarders can improve security because you don't have to rely on the vendor's DNS servers to be used as a forwarder when you don't trust the security settings. Their DNS server.
3. Using DNS Advertiser
A DNS advertisiser is a DNS server that queries for domains where the DNS Advertiser is authorized. For example, if you store resources for domain.com and corp.com, the public DNS server will be configured with the DNS file area for domain.com and corp.com domains.
The difference between a DNS Advertiser and a DNS server that contains a DNS file area is that the DNS Advertiser responds to queries from the domain name it assigns. The DNS server will not recall the query sent to other servers. This prevents users from using public DNS servers to handle multiple domains, and increases security by reducing the risks of running public DNS Resolutions (caching damage).
4. Use DNS Resolver
The DNS Resolver is a DNS server that can recall commands to process names for domains not authorized by the DNS server. For example, you can use a DNS server that is authorized on the local network for the internal network domain internalcorp.com. When a workstation on the network uses this DNS server to name quantrimang.com, that DNS server will recall the command by retrieving the results on other DNS servers.
The difference between this DNS server and the DNS resolver is that the DNS Resolver is used to name the Internet server. Resolver can be a cached DNS server that is not authorized for any DNS domain. Admin can only allow internal users to use DNS Resolver, or only allow external users to use it to provide security when using an external DNS server out of admin's control, and may allow Internal users and external users access the DNS Resolver.
5. Protect DNS caching
'Pollution' DNS caching is a common problem. Most DNS servers can store DNS query results before forwarding the response to the server sending the query. DNS caching can significantly improve the ability to perform DNS queries. If caching DNS servers is 'contaminated' with many virtual DNS entries, users can be forwarded to malicious websites instead of websites intended to be accessed.
Most DNS servers can be configured to 'cache' caching. For example. The Windows Server 2003 DNS server is configured by default to prevent 'caching'. If you are using a Windows 2000 DNS server, you can install anti-pollution by opening the Properties dialog box in the DNS server, selecting the Advanced tab, and then tick the Prevent Cache Pollution check box and restarting the DNS server.
6. Connection security with DDNS
Many DNS servers allow dynamic updates. The dynamic update feature helps these DNS servers register DNS server names and IP addresses for DHCP servers that contain IP addresses. DDNS can be an effective administrative support tool while manually configuring DNS resource patterns for these servers.
However, not checking DDNS updates can cause a security issue. Bad users can configure servers to dynamically update resources on the DNS server (such as a data server, web server or database server) and navigate to the destination server to their PC. .
You can reduce the risk of having malicious DNS updates by requiring security to connect to the DNS server to update dynamically. This can be easily done by installing a DNS server using Active Directory compatible zones and requiring dynamic update security. All member domains can dynamically update DNS information after performing the installation.
7. Stop running Zone Transfer
Zone Transfer is between the primary DNS server and the secondary DNS server. The main DNS servers that are authorized for specific domains contain the DNS file area that can be written and updated as needed. The secondary DNS server receives a read-only copy of these file areas from the primary DNS server. Secondary DNS server is used to increase the ability to enforce DNS queries in an organization or on the Internet.
However, Zone Transfer is not limited to secondary DNS server. Anyone can run a DNS query configuring the DNS server to allow Zone Transfer to dump the entire database file area. Bad users can use this information to explore the name schema in the company and attack key infrastructure services. You can prevent this by configuring the DNS server to deny Zone Transfer to the request, or to configure the DNS server to allow Zone Transfer to deny the request of certain servers only.
8. Use Firewall to control DNS access
Firewall can be used to gain control over users who connect to the DNS server. For DNS servers that are only used for queries from the local workstation, the admin needs to configure the firewall to block connections from external servers to these DNS servers. For DNS servers used as storage forwarders, the firewall needs to be configured to only allow DNS queries from DNS servers used as storage forwarders. A very important firewall policy setting is to block internal users from using DNS communications to connect to external DNS servers.
9. Settings control access to DNS's Registry
On Windows-based DNS servers, access control needs to be configured in DNS server-related registry settings to allow accounts that require access to read and change Registry settings.
DNS key in HKLMCurrentControlSetServices needs to be configured to only allow Admin and access system account, in addition these accounts need to be granted Full Control.
10. Install access control to DNS file system
On Windows-based DNS servers, you should configure access control on the file system related to the DNS server so only accounts that require access to them are allowed to read or change these files.
The % system_directory% DNS directory and subdirectories that need to be installed only allow access to the system account, and the system account needs to be granted Full Control.
1. Use the DNS Forwarder
A DNS Forwarder is a DNS server that performs DNS queries on behalf of many other DNS servers. The DNS Forwarder is used to remove processing tasks from DNS servers that are forwarding these queries to the Forwarder, and increase the DNS cache traffic on the DNS Forwarder.
Another function of the DNS forwarder is to prevent the forwarding DNS server from requesting interactions with Internet DNS servers. This is a particularly important function since the DNS server contains resources within the DNS domain. Instead of allowing internal DNS servers to manually execute commands and contact other DNS servers, it configures the internal DNS server to use a Forwader for all non-authorized domains. 2. Use hosting DNS server
A DNS hosting server is a DNS server that cannot delegate to any DNS domain. It is configured to perform a callback or use a forwarder. When this server receives a response, it saves the result and passes the answer to the system that sends the DNS query to the hosting DNS server. Then, this server can gather multiple DNS responses that significantly reduce the response time for DNS servers of hosted DNS servers.
Storage DNS servers can improve company security when used as a forwarder in your administrative tools group. Internal DNS servers can be set up to use the hosting DNS server as their converter, and the hosting DNS server performs a callback instead of the internal DNS server. Using DNS servers to host them as forwarders can improve security because you don't have to rely on the vendor's DNS servers to be used as a forwarder when you don't trust the security settings. Their DNS server.
3. Using DNS Advertiser
A DNS advertisiser is a DNS server that queries for domains where the DNS Advertiser is authorized. For example, if you store resources for domain.com and corp.com, the public DNS server will be configured with the DNS file area for domain.com and corp.com domains.
The difference between a DNS Advertiser and a DNS server that contains a DNS file area is that the DNS Advertiser responds to queries from the domain name it assigns. The DNS server will not recall the query sent to other servers. This prevents users from using public DNS servers to handle multiple domains, and increases security by reducing the risks of running public DNS Resolutions (caching damage).
4. Use DNS Resolver
The DNS Resolver is a DNS server that can recall commands to process names for domains not authorized by the DNS server. For example, you can use a DNS server that is authorized on the local network for the internal network domain internalcorp.com. When a workstation on the network uses this DNS server to name quantrimang.com, that DNS server will recall the command by retrieving the results on other DNS servers.
The difference between this DNS server and the DNS resolver is that the DNS Resolver is used to name the Internet server. Resolver can be a cached DNS server that is not authorized for any DNS domain. Admin can only allow internal users to use DNS Resolver, or only allow external users to use it to provide security when using an external DNS server out of admin's control, and may allow Internal users and external users access the DNS Resolver.
5. Protect DNS caching
'Pollution' DNS caching is a common problem. Most DNS servers can store DNS query results before forwarding the response to the server sending the query. DNS caching can significantly improve the ability to perform DNS queries. If caching DNS servers is 'contaminated' with many virtual DNS entries, users can be forwarded to malicious websites instead of websites intended to be accessed.
Most DNS servers can be configured to 'cache' caching. For example. The Windows Server 2003 DNS server is configured by default to prevent 'caching'. If you are using a Windows 2000 DNS server, you can install anti-pollution by opening the Properties dialog box in the DNS server, selecting the Advanced tab, and then tick the Prevent Cache Pollution check box and restarting the DNS server.
6. Connection security with DDNS
Many DNS servers allow dynamic updates. The dynamic update feature helps these DNS servers register DNS server names and IP addresses for DHCP servers that contain IP addresses. DDNS can be an effective administrative support tool while manually configuring DNS resource patterns for these servers.
However, not checking DDNS updates can cause a security issue. Bad users can configure servers to dynamically update resources on the DNS server (such as a data server, web server or database server) and navigate to the destination server to their PC. .
You can reduce the risk of having malicious DNS updates by requiring security to connect to the DNS server to update dynamically. This can be easily done by installing a DNS server using Active Directory compatible zones and requiring dynamic update security. All member domains can dynamically update DNS information after performing the installation.
7. Stop running Zone Transfer
Zone Transfer is between the primary DNS server and the secondary DNS server. The main DNS servers that are authorized for specific domains contain the DNS file area that can be written and updated as needed. The secondary DNS server receives a read-only copy of these file areas from the primary DNS server. Secondary DNS server is used to increase the ability to enforce DNS queries in an organization or on the Internet.
However, Zone Transfer is not limited to secondary DNS server. Anyone can run a DNS query configuring the DNS server to allow Zone Transfer to dump the entire database file area. Bad users can use this information to explore the name schema in the company and attack key infrastructure services. You can prevent this by configuring the DNS server to deny Zone Transfer to the request, or to configure the DNS server to allow Zone Transfer to deny the request of certain servers only.
8. Use Firewall to control DNS access
Firewall can be used to gain control over users who connect to the DNS server. For DNS servers that are only used for queries from the local workstation, the admin needs to configure the firewall to block connections from external servers to these DNS servers. For DNS servers used as storage forwarders, the firewall needs to be configured to only allow DNS queries from DNS servers used as storage forwarders. A very important firewall policy setting is to block internal users from using DNS communications to connect to external DNS servers.
9. Settings control access to DNS's Registry
On Windows-based DNS servers, access control needs to be configured in DNS server-related registry settings to allow accounts that require access to read and change Registry settings.
DNS key in HKLMCurrentControlSetServices needs to be configured to only allow Admin and access system account, in addition these accounts need to be granted Full Control.
10. Install access control to DNS file system
On Windows-based DNS servers, you should configure access control on the file system related to the DNS server so only accounts that require access to them are allowed to read or change these files.
The % system_directory% DNS directory and subdirectories that need to be installed only allow access to the system account, and the system account needs to be granted Full Control.
4 ★ | 1 Vote
Samuel DanielYou should read it
- Visualize programming for those who don't know the code
- 7 common mistakes when writing website articles
- Some new features of Access 2010
- Invite Assassin's Creed Chronicles game: China costs 265,000 VND, is free
- How to create virtual Home keys on Android phones
- Panasonic has a laptop that can withstand pressure up to 100 kg
- Fsutil command sparse in Windows
- Share Windows in Mac OS X
May be interested
- 12 ways to become the most 'stupid' security guy
we propose this article to 'awaken' some people who are too disrespectful to the most basic security measures, those who 'doze off' on unreliable or offered tools on some unreliable ones. website. - TrueCrypt encourages users to take other key measuresunfortunately for fans of popular encryption software, truecrypt on the program's official website has a red text warning that truecrypt is no longer safe to continue using. the text is highlighted in red immediately after opening the sourceforge homepage of truecrypt, explaining that due to unresolved security errors.
- How to scan websites for potential security vulnerabilities with Vega on Kali Linuxresisting a hacker attack is one of the most important responsibilities a system administrator must perform. therefore, it is important for a system administrator to take proactive measures to find and fix vulnerabilities in their websites.
- Experts from Kaspersky make recommendations on organizing secure online meetingsmeasures to avoid cyber security risks when working online during an epidemic season
- Simple ways to protect home security cameras, avoid hackingin order to protect yourself and your family against security camera attacks, users can take the simple measures below.
- Trojan 2.0 - Implications of Web 2.0 technologyfinjan malware research center has just released the fourth security risk report. accordingly, measures against traditional malware - signature-based (virus detection based on a database of known malware software) and
- Foreshadow - the fifth most serious security hole in the CPU in 2018this vulnerability could bypass intel sgx security measures. what a tiring year for microprocessors, especially intel.
- How to configure a firewall to block the WannaCry ransomware attackthe infosec (information security) community has a lot of good security measures to protect against ransomware attacks, including ransomware firewall best practices, antivirus tools, and ransomware protection strategies. .
- Some common data security measuresdata protection is extremely essential, because data is the most important asset of users on computers. it can be said that the need to use computers and networks comes from data.
- 4 reasons why Windows UAC is uselessif you have been using windows vista or windows 7, you will probably feel a lot of pain when you have to get the system approval every time you install an application. this feature is called user account control (uac), ...
Secure remote firewall system with SSH
Use Firefox's password manager
10 measures of Apache security
Microsoft fixes 'dangerous' errors for Windows
Enterprise security features in IE 8
Hide data into a safe location - Part 1: Windows XP