11.6 Securing Your Name Server
Compared
to a modern BIND name server, the Microsoft DNS Server is short on
security features, but you do have some options. In this section, we
discuss how to prevent unauthorized zone transfers from your servers
and how to "lock down" a name
server that receives queries from other name servers on the Internet.
11.6.1 Preventing Unauthorized Zone Transfers
It's important
to ensure that only the intended name serversusually this
means the secondary name servers listed in the
zone's NS recordscan transfer zones from your
primary name server. Users on remote hosts that can query your name
server's zone data can look up data (for example,
addresses) only for hosts whose domain names they already know, one
at a time. Users who can start zone transfers from your server can
list all the hosts in your zones. It's the
difference between letting random folks call your
company's switchboard and ask for John Q.
Cubicle's phone number and sending them a copy of
your corporate phone directory.You control which name servers can perform a zone transfer with
settings on the Zone Transfers tab
of the zone properties window (see Figure 11-4). You
can allow any host to perform zone transfers, or only those name
servers listed in the zone's NS records, or only a
specific set of name servers you list by IP address.For a primary name server accessible from the Internet, you
definitely want to limit zone transfers to just authorized secondary
name servers. You probably don't need to restrict
zone transfers on name servers inside your firewall, unless
you're worried about your own employees listing your
zone data.
11.6.2 Disabling Recursion on Delegated Name Servers
Some
of your name servers answer nonrecursive queries from other name
servers on the Internet because those name servers appear in NS
records delegating your zones to them. We'll call
these name servers delegated name servers. You
can take special measures to secure your delegated name servers by
disabling recursion.Recall that
by
default, resolvers send recursive queries, and name servers do the
work required to answer the queries. (If you don't
remember how recursion works, refer to Chapter 2.)
In the process of finding the answer to recursive queries, the name
servers build up a cache of nonauthoritative information about other
zones.But for
security reasons, you don't want delegated name
servers to do the extra work required to answer a recursive query or
to build up a cache of data. Answering recursive queries opens them
up to a potential denial of service (DoS) attack: the Bad Guys can
send these servers repeated recursive queries, making them do all
kinds of unnecessary work. Answering recursive queries from just
anyone is also a bad idea because of caching: the most common
spoofing attacks involve inducing the target name server to query
name servers under the Bad Guy's control by sending
the target a recursive query for a domain name in a zone served by
the Bad Guy's servers. The Bad Guys can force your
name servers to cache known bad data in this way.Disabling recursion on delegated servers eliminates these attack
vectors. But to do so, you need to make sure these servers
don't receive any legitimate recursive queries.
Don't configure any resolvers to use these servers
and don't list a nonrecursive name server as a
forwarder. (When a name server is using another server as a
forwarder, it sends the query to the forwarder as a recursive query
instead of a nonrecursive query.)You can induce the Microsoft DNS Server to run as a nonrecursive name
server by checking the Disable recursion (also
disables forwarders) box on the Advanced tab of the server properties window.
By default, the name server supports recursion, and this box is
unchecked. Disabling recursion doesn't break a
delegated server because name servers send nonrecursive queries
between themselves.