DNS security guide

DNS stands for Domain Name System and it is one of the most important components in the operation of the Internet and leads great importance in the correct flow of network communications. DNS, managing communications between elements with Internet IP address is possible. This mission of DNS protocol, can seem basic but carries an important responsibility to provide a basis for IP communications, so it is vitally important to keep the system ready to prevent and mitigate the threats against this service

DNS, for its wide spread and design is exposed to many threats: denials of service DoS attacks by DNS amplification, domain hijacking that redirects traffic to malicious sites, or DNS cache poisoning.

With this issues in mind, INCIBE publishes this technical guide to provide a reference document related to the DNS protocol, including security aspects of the service, the baselines for its implementation and hardening. In this guide you can find a detailed description of the protocol basics and security components. Specifically, in the field of security, an explanation of the vulnerabilities and main known threats of the protocol are provided, as well the mitigation measures you can deploy to avoid and/or prevent them both at the generic level. More specifically, BIND9 software from Internet System Consortium is chosen as reference to give configuration examples.