Private Resolvers

Private resolvers are normally found on corporate/restricted networks and are not publicly accessible. They are often located on private IP address subnets (RFC1918, for instance), limiting reachability from the rest of the Internet (with or without the use of access control lists/filters). Private resolvers are in some cases part of a trusted computing domain (e.g., Active Directory).

There are two types of best practices for private recursive resolver operators: DNS security and privacy, and DNS availability and resilience. In addition to these two categories specific to the core DNS, all operators must pay careful attention to practices related to hardening their core system security.

DNS Security and Privacy: These best practices are aimed at improving the security of your DNS service itself, helping prevent users from being served malicious data, and lowering the chances of data corruption going unnoticed. They also cover practices to mitigate unintended lack of private data to authoritative servers.

Practice 1

DNSSEC validation MUST be enabled for recursive resolvers.

Rationale

Signing zones using DNSSEC authenticates the origin of the data and protects the data’s integrity. But for this to actually work, DNS resolvers performing recursive resolution must validate the data. This means they must be configured with a copy of the root Trust Anchor, and they must be told to validate signatures that are published alongside DNS records.

Practice 2

ACL statements MUST be used to restrict who may send recursive queries to your DNS resolvers/validators.

Rationale

Traffic to the resolvers must be permitted only from the subnets you manage/operate. This can include corporate LANs, public segments hosting services, VPN/roaming user ranges, etc.

Practice 3

QNAME minimization MUST be enabled to mitigate leakage of domain names.

Rationale

QNAME minimization (standardized in RFC 9156) is a technique to improve privacy for DNS queries. With QNAME minimization enabled, the DNS resolver doesn’t send the FQDN and query type (QTYPE) to resolvers it is querying to find the answer to a query, at the expense of a few additional queries.

DNS Availability and Resilience: These best practices aim to improve the robustness, resilience, and stability of your DNS infrastructure. Some of the recommendations can be implemented with minimal changes or additions to your infrastructure.

Practice 4

Authoritative and recursive DNS service MUST NOT coexist on the same DNS server.

Rationale

DNS software packages such as ISC BIND can be configured to function as authoritative and recursive resolution on the same installation. Historically, this was to avoid the cost and overhead of two separate servers, particularly before virtualization was common. This is still the default behavior in most Windows DNS deployments as well. Clients in Active Directory-enabled environments are typically configured to send recursive DNS lookups to DNS servers that by default serve a copy of the organization’s DNS zone. Queries for other domain names are resolved as usual (either directly, or by forwarding queries to an external server).

While this configuration does allow for a simpler setup (and faster lookup times) when looking up names within an organization’s own domain/zone, there are other problems with this configuration, including the risk for those DNS servers answering queries for “stale” domains that have since been delegated to other nameservers. This is a risk when the DNS servers are serving public DNS zones, the contents of which can be looked up from the Internet.

Practice 5

At least two distinct servers MUST be used for providing recursion services.

Rationale

To avoid outages where clients aren’t able to resolve names, it is best to always hand out at least two DNS resolvers when configuring clients, either using DHCP or any other provisioning method. Clients should be able to point to alternate resolver(s) to use in case of failure of the primary. Solutions using a load balancer in front of multiple servers usually aren’t practical because they introduce complexity, and stateful systems risk being overwhelmed by DoS/malware-related traffic from infected clients. An acceptable alternative to configuring a secondary resolver is to deploy Anycast so that multiple resolvers respond to queries sent to a unique resolver IP address.

Practice 6

Monitoring of the services, servers, and network equipment that make up your DNS infrastructure MUST be implemented.

Rationale

Monitoring of your DNS service is critical to ensure that it is available to users and customers. This can be achieved through local monitoring (hosted on premises) or a remote location, and either managed by yourself or a third party (outsourced/cloud based).