NCCIC / US-CERT

National Cyber Awareness System:

TA15-240A: Controlling Outbound DNS Access
08/28/2015 01:31 PM EDT


Original release date: August 28, 2015

Systems Affected
Networked systems

Overview
US-CERT has observed an increase in Domain Name System (DNS) traffic from
client systems within internal networks to publically hosted DNS servers.
Direct client access to Internet DNS servers, rather than controlled access
through enterprise DNS servers, can expose an organization to unnecessary
security risks and system inefficiencies. This Alert provides recommendations
for improving security related to outbound DNS queries and responses.

Description
Client systems and applications may be configured to send DNS requests to
servers other than authorized enterprise DNS caching name servers (also called
resolving, forwarding or recursive name servers). This type of configuration
poses a security risk and may introduce inefficiencies to an organization.

Impact
Unless managed by perimeter technical solutions, client systems and
applications may connect to systems outside the enterprise’s administrative
control for DNS resolution. Internal enterprise systems should only be
permitted to initiate requests to and receive responses from approved
enterprise DNS caching name servers. Permitting client systems and
applications to connect directly to Internet DNS infrastructure introduces
risks and inefficiencies to the organization, which include:

Bypassed enterprise monitoring and logging of DNS traffic; this type of
monitoring is an important tool for detecting potential malicious network
activity.
Bypassed enterprise DNS security filtering (sinkhole/redirect or
blackhole/block) capabilities; this may allow clients to access malicious
domains that would otherwise be blocked.
Client interaction with compromised or malicious DNS servers; this may cause
inaccurate DNS responses for the domain requested (e.g., the client is sent to
a phishing site or served malicious code).
Lost protections against DNS cache poisoning and denial-of-service attacks.
The mitigating effects of a tiered or hierarchical (e.g., separate internal
and external DNS servers, split DNS, etc.) DNS architecture used to prevent
such attacks are lost.
Reduced Internet browsing speed since enterprise DNS caching would not be
utilized.
Solution
Implement the recommendations below to provide a more secure and efficient DNS
infrastructure. Please note that these recommendations focus on improving the
security of outbound DNS query or responses and do not encompass all DNS
security best practices.

Configure operating systems and applications (including lower-tier DNS servers
intended to forward queries to controlled enterprise DNS servers) to use only
authorized DNS servers within the enterprise for outbound DNS resolution.
Configure enterprise perimeter network devices to block all outbound User
Datagram Protocol (UDP) and Transmission Control Protocol (TCP) traffic to
destination port 53, except from specific, authorized DNS servers (including
both authoritative and caching/forwarding name servers).
Additionally, filtering inbound destination port 53 TCP and UDP traffic to
only allow connections to authorized DNS servers (including both authoritative
and caching/forwarding name servers) will provide additional protections.
Refer to Section 12 of the NIST Special Publication 800-81-2 for guidance when
configuring enterprise recursive DNS resolvers. [1]
References
Secure Domain Name System (DNS) Deployment Guide
Revision History
August 28, 2015: Initial Release

----------------------------------------------------------------
-------------- -

This product is provided subject to this Notification and this Privacy & Use
policy.


----------------------------------------------------------------
-------------- -
A copy of this publication is available at www.us-cert.gov. If you need help
or have questions, please send an email to info@us-cert.gov. Do not reply to
this message since this email was sent from a notification-only address that
is not monitored. To ensure you receive future US-CERT products, please add
US-CERT@ncas.us-cert.gov to your address book.
OTHER RESOURCES:
Contact Us | Security Publications | Alerts and Tips | Related Resources
STAY CONNECTED:
Sign up for email updates

SUBSCRIBER SERVICES:
Manage Preferences  |  Unsubscribe  |  Help


----------------------------------------------------------------
-------------- -
This email was sent to Fido4cmech@lusfiber.net using GovDelivery, on behalf
of: United States Computer Emergency Readiness Team (US-CERT) · 245 Murray
Lane SW Bldg 410 · Washington, DC 20598 · (888) 282-0870 Powered by GovDelivery

=== Cut ===

--
Guardien Fide   :^)

   Ben  aka cMech  Web: http://cmech.dynip.com
                 Email: fido4cmech(at)lusfiber.net
              Home page: http://cmech.dynip.com/homepage/
           WildCat! Board 24/7  +1-337-984-4794  any BAUD 8,N,1

--- GoldED+/W32-MSVC
 * Origin: FIDONet - The Positronium Repository (1:393/68)