A problem that is becoming very common is DNS cache pollution. An attacker takes advantage of this by using a rogue name server and then intentionally formulating information that is misleading, either as a helpful hint or an answer. This then gets cached by your unsuspecting DNS server.
The majority of DNS servers can be easily configured for preventing cache pollution. For example, DNS server on Windows Server 2003 has been configured by default server to prevent cache pollution. The problem, however, is if your DNS server cache is already “polluted” with lots of bogus DNS entries. If you’re using an older version, you can configure your DNS security to prevent cache pollution through the Advanced Tab.
Managing Client Flooding
Client flooding takes place when the system of a client sends out a genuine query, but ends up receiving and accepting DNS responses in thousands coming from the attacker. The success of the attacker is typically due lack of responses authentication. Without a strong authentication system, the client lacks the ability of verifying the response origin. The newest Bind and Unbound DNS server versions come with a configuration option that limits the queries rate.
Using Firewalls to Control Access
Firewalls may be utilized in gaining access control over who is able to connect with your DNS servers. DNS servers only being used for internal client queries, the firewalls may be configured to block connections coming from all external hosts.
DNS servers being employed as caching-only forwarders, the firewalls can be configured to allow DNS queries coming from those servers that only utilize caching-only forwarders. A particularly critical firewall policy setting is blocking internal users from utilizing the DNS protocol in connecting to all external DNS servers.
Insecure core protocols, lack of integrity, and authentication checking of the DNS information can compromise the optimal DNS functionality. Besides the above DNS security controls, others that can be deployed include limiting connectivity to servers from the layer 3 levels (outside world), and integrating layer 2-7 (IDS/IPS inline) protection.
However, it is important to point out that these controls come with limited ability in terms of protecting DNS interfaces that in are generally open to the world. This is because technically savvy users could use Dynamic DNS along with SSH tunnelling or OpenVPN to gain access to your restricted content, effectively bypassing your own network security controls. You can learn more by visiting BlueCat.