CERT mailing list archives

Previous By Date Next
Previous By Thread Next

TA15-240A: Controlling Outbound DNS Access

From: "US-CERT" <US-CERT () ncas us-cert gov>
Date: Fri, 28 Aug 2015 15:10:37 -0500
NCCIC / US-CERT

National Cyber Awareness System:

TA15-240A: Controlling Outbound DNS Access [ https://www.us-cert.gov/ncas/alerts/TA15-240A ] 08/28/2015 01:31 PM EDT 
Original release date: August 28, 2015

Systems Affected

Networked systems

Overview

US-CERT has observed an increase in Domain Name System (DNS) traffic from client systems within internal networks to 
publically hosted DNS servers. Direct client access to Internet DNS servers, rather than controlled access through 
enterprise DNS servers, can expose an organization to unnecessary security risks and system inefficiencies. This Alert 
provides recommendations for improving security related to outbound DNS queries and responses.

Description

Client systems and applications may be configured to send DNS requests to servers other than authorized enterprise DNS 
caching name servers (also called resolving, forwarding or recursive name servers). This type of configuration poses a 
security risk and may introduce inefficiencies to an organization.   

Impact

Unless managed by perimeter technical solutions, client systems and applications may connect to systems outside the 
enterprise’s administrative control for DNS resolution. Internal enterprise systems should only be permitted to 
initiate requests to and receive responses from approved enterprise DNS caching name servers. Permitting client systems 
and applications to connect directly to Internet DNS infrastructure introduces risks and inefficiencies to the 
organization, which include:


  * Bypassed enterprise monitoring and logging of DNS traffic; this type of monitoring is an important tool for 
detecting potential malicious network activity. 
  * Bypassed enterprise DNS security filtering (sinkhole/redirect or blackhole/block) capabilities; this may allow 
clients to access malicious domains that would otherwise be blocked. 
  * Client interaction with compromised or malicious DNS servers; this may cause inaccurate DNS responses for the 
domain requested (e.g., the client is sent to a phishing site or served malicious code). 
  * Lost protections against DNS cache poisoning and denial-of-service attacks. The mitigating effects of a tiered or 
hierarchical (e.g., separate internal and external DNS servers, split DNS, etc.) DNS architecture used to prevent such 
attacks are lost.   
  * Reduced Internet browsing speed since enterprise DNS caching would not be utilized. 

Solution

Implement the recommendations below to provide a more secure and efficient DNS infrastructure. Please note that these 
recommendations focus on improving the security of outbound DNS query or responses and do not encompass all DNS 
security best practices.  


  * Configure operating systems and applications (including lower-tier DNS servers intended to forward queries to 
controlled enterprise DNS servers) to use only authorized DNS servers within the enterprise for outbound DNS 
resolution. 
  * Configure enterprise perimeter network devices to block all outbound User Datagram Protocol (UDP) and Transmission 
Control Protocol (TCP) traffic to destination port 53, except from specific, authorized DNS servers (including both 
authoritative and caching/forwarding name servers).   
  * Additionally, filtering inbound destination port 53 TCP and UDP traffic to only allow connections to authorized DNS 
servers (including both authoritative and caching/forwarding name servers) will provide additional protections.  

  * Refer to Section 12 of the NIST Special Publication 800-81-2 for guidance when configuring enterprise recursive DNS 
resolvers. [1 [ http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-81-2.pdf ]] 

References

  * Secure Domain Name System (DNS) Deployment Guide [ 
http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-81-2.pdf ] 

Revision History

  * August 28, 2015: Initial Release 
________________________________________________________________________

This product is provided subject to this Notification [ http://www.us-cert.gov/privacy/notification ] and this Privacy 
& Use [ http://www.us-cert.gov/privacy/ ] policy.

________________________________________________________________________

A copy of this publication is available at www.us-cert.gov [ https://www.us-cert.gov ]. If you need help or have 
questions, please send an email to info () us-cert gov. Do not reply to this message since this email was sent from a 
notification-only address that is not monitored. To ensure you receive future US-CERT products, please add US-CERT () 
ncas us-cert gov to your address book. 

OTHER RESOURCES: Contact Us [ http://www.us-cert.gov/contact-us/ ] | Security Publications [ 
http://www.us-cert.gov/security-publications ] | Alerts and Tips [ http://www.us-cert.gov/ncas ] | Related Resources [ 
http://www.us-cert.gov/related-resources ] 

STAY CONNECTED: Sign up for email updates [ http://public.govdelivery.com/accounts/USDHSUSCERT/subscriber/new ]
Previous By Date Next
Previous By Thread Next

Current thread: