DNS (Domain Name System) is a method with a long history. It can assign domain names to computers with IP addresses so that the computers have character names. For example, the computer with the IP address 207.46.193.254 is the Microsoft server www.microsoft. com. DNS is well designed and works very well most of the time. However, there are always some unsatisfactory situations and it will strike, causing administrators a headache. So how to find the clues of its failure? What are some areas of your DNS system that are less than ideal?
Is there any pattern to follow? The answer is yes. Here are seven sins of DNS servers for your reference:
1. Use an old version of BIND.
Bind, as an open source DNS server software, is currently the most widely used DNS server software in the world. Almost most older versions of BIND have serious, well-known vulnerabilities. Attackers can exploit these vulnerabilities to bring down our DNS name servers and compromise the hosts running them. Therefore, you should make sure to use the latest BIND and patch it in time.
2. Place all important domain name servers in the same subnet.
In this case, the failure of a piece of equipment, such as a switch or router, or a failure of a network connection would prevent Internet users from accessing your website or sending you emails.
3. Allow recursion to unauthorized queriers.
If set to the following situation:
(recursion yes|no; [yes] allow-recursion { address_match_list }; [all hosts] |
It is unsafe. Here, the recursion option specifies whether named queries other domain name servers on behalf of the client. Nameservers are generally not set up to turn off recursion. At least we should allow recursion for our own clients, but disable recursion for external queries. Because if you can handle recursive queries for any client, you will expose the name server to cache poisoning and denial of service attacks.
4. Allow unauthorized secondary name servers to perform zone transfers.
Zone Transfer refers to the process of copying zone database files between multiple DNS servers. If you provide zone transfer services to arbitrary queriers, you will expose the domain name server to attackers, causing the server to crash.
5. No DNS forwarder is used.
A DNS forwarder is a server that performs DNS queries on behalf of other DNS services. Many name server software, including Microsoft's DNS Servers and some older BIND name servers, do not adequately protect themselves against cache poisoning, and other DNS server software also has vulnerabilities that can be exploited by malicious responses. But many administrators allow these name servers to query other name servers on the Internet directly, without using forwarders at all.
6. Incorrectly setting the Start of Authority (SOA) value.
SOA marks the beginning of zone data and defines parameters that affect the entire zone. Many administrators set the zone value too low, which can cause system disruptions when flush queries or zone transfers begin to fail. Since the RFC redefined SOA, some people have reset the negative caching TTL, causing it to be too high.
7. Mismatched NS records in authorization and zone data.
Some administrators add or remove primary name servers but forget to make corresponding changes to their zone's delegation data (the so-called delegation data). This will extend the time it takes to resolve domain names and reduce flexibility.
Of course, these are just some common mistakes that administrators may make, but they can serve as a basic reference for configuring your DNS server.