In addition to implementing best practices for DNS security and for DNS availability and resilience, all operators must pay careful attention to practices for hardening the platforms their DNS services use. There are three types of hardening practices: network security, host and service security, and customer-facing portal and service security.
ACLs MUST be implemented to restrict network traffic to your DNS servers.
- For authoritative operators, the ACLs MUST allow only DNS traffic and associated ICMP response codes to your authoritative DNS servers; access to all other services and ports on your network for DNS servers MUST be denied.
- For all DNS operator types (authoritative and recursive), incoming traffic from all so-called Bogon IP subnets MUST be blocked, including private RFC 1918 addresses, and possibly RFC 6598 (Shared IPv4 address space) for v4. Recursive DNS operators should of course NOT block private/shared IP address space deployed within the organization. See https://ipgeolocation.io/resources/bogon.html
BCP38/MANRS egress filtering MUST be implemented so that no network traffic can leave your network with a source IP address that is not assigned to you or your customers.
The configuration of each DNS server MUST be locked down. This includes the following:
- All services and software packages that are not required for offering DNS service on the system MUST be uninstalled or disabled.
- Hosts running DNS services MUST only run DNS software. In other words, DNS servers MUST NOT run other services, such as web or email servers.
- All relevant logging channels and levels for the DNS subsystem MUST be enabled. Logs MUST be sent to a central location for archiving, inspection, and auditing, and they MUST be retained for a reasonable time in accordance with retention policies.
User permissions and application access to system resources MUST be limited. File permissions and ownership restrictions MUST be set so that users and services not directly associated with management of the DNS subsystem do not have read or write access to DNS service configuration, data files, and database subsystems.
System and service configuration files MUST be versioned. For authoritative operators, zone files/data MUST also be versioned.
Access to management services (e.g., SSH, web-based configuration tools) MUST be restricted. All services not needed for DNS or management MUST be disabled or uninstalled if possible, otherwise network access to the unnecessary services MUST be blocked.
Access to the system console MUST be secured using cryptographic keys, protected with a passphrase (e.g. SSH keys) or using suitable two-factor authentication (OTP generator or token-based).
Credentials for customer access (registrants and other domain contacts) MUST follow sound credential management practices, including offering two-factor authentication as an option.