CERT mailing list archives
TA15-240A: Controlling Outbound DNS Access
From: "US-CERT" <US-CERT () ncas us-cert gov>
Date: Fri, 28 Aug 2015 15:10:37 -0500
NCCIC / US-CERT National Cyber Awareness System: TA15-240A: Controlling Outbound DNS Access [ https://www.us-cert.gov/ncas/alerts/TA15-240A ] 08/28/2015 01:31 PM EDT Original release date: August 28, 2015 Systems Affected Networked systems Overview US-CERT has observed an increase in Domain Name System (DNS) traffic from client systems within internal networks to publically hosted DNS servers. Direct client access to Internet DNS servers, rather than controlled access through enterprise DNS servers, can expose an organization to unnecessary security risks and system inefficiencies. This Alert provides recommendations for improving security related to outbound DNS queries and responses. Description Client systems and applications may be configured to send DNS requests to servers other than authorized enterprise DNS caching name servers (also called resolving, forwarding or recursive name servers). This type of configuration poses a security risk and may introduce inefficiencies to an organization. Impact Unless managed by perimeter technical solutions, client systems and applications may connect to systems outside the enterprise’s administrative control for DNS resolution. Internal enterprise systems should only be permitted to initiate requests to and receive responses from approved enterprise DNS caching name servers. Permitting client systems and applications to connect directly to Internet DNS infrastructure introduces risks and inefficiencies to the organization, which include: * Bypassed enterprise monitoring and logging of DNS traffic; this type of monitoring is an important tool for detecting potential malicious network activity. * Bypassed enterprise DNS security filtering (sinkhole/redirect or blackhole/block) capabilities; this may allow clients to access malicious domains that would otherwise be blocked. * Client interaction with compromised or malicious DNS servers; this may cause inaccurate DNS responses for the domain requested (e.g., the client is sent to a phishing site or served malicious code). * Lost protections against DNS cache poisoning and denial-of-service attacks. The mitigating effects of a tiered or hierarchical (e.g., separate internal and external DNS servers, split DNS, etc.) DNS architecture used to prevent such attacks are lost. * Reduced Internet browsing speed since enterprise DNS caching would not be utilized. Solution Implement the recommendations below to provide a more secure and efficient DNS infrastructure. Please note that these recommendations focus on improving the security of outbound DNS query or responses and do not encompass all DNS security best practices. * Configure operating systems and applications (including lower-tier DNS servers intended to forward queries to controlled enterprise DNS servers) to use only authorized DNS servers within the enterprise for outbound DNS resolution. * Configure enterprise perimeter network devices to block all outbound User Datagram Protocol (UDP) and Transmission Control Protocol (TCP) traffic to destination port 53, except from specific, authorized DNS servers (including both authoritative and caching/forwarding name servers). * Additionally, filtering inbound destination port 53 TCP and UDP traffic to only allow connections to authorized DNS servers (including both authoritative and caching/forwarding name servers) will provide additional protections. * Refer to Section 12 of the NIST Special Publication 800-81-2 for guidance when configuring enterprise recursive DNS resolvers. [1 [ http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-81-2.pdf ]] References * Secure Domain Name System (DNS) Deployment Guide [ http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-81-2.pdf ] Revision History * August 28, 2015: Initial Release ________________________________________________________________________ This product is provided subject to this Notification [ http://www.us-cert.gov/privacy/notification ] and this Privacy & Use [ http://www.us-cert.gov/privacy/ ] policy. ________________________________________________________________________ A copy of this publication is available at www.us-cert.gov [ https://www.us-cert.gov ]. If you need help or have questions, please send an email to info () us-cert gov. Do not reply to this message since this email was sent from a notification-only address that is not monitored. To ensure you receive future US-CERT products, please add US-CERT () ncas us-cert gov to your address book. OTHER RESOURCES: Contact Us [ http://www.us-cert.gov/contact-us/ ] | Security Publications [ http://www.us-cert.gov/security-publications ] | Alerts and Tips [ http://www.us-cert.gov/ncas ] | Related Resources [ http://www.us-cert.gov/related-resources ] STAY CONNECTED: Sign up for email updates [ http://public.govdelivery.com/accounts/USDHSUSCERT/subscriber/new ]
Current thread:
- TA15-240A: Controlling Outbound DNS Access US-CERT (Aug 28)