When planning the 1941 attack on Pearl Harbor, the Japanese Imperial Navy targeted three key US resources. Most people know that the first was the fleet of US battleships, which was decimated in the attack. The second, equally well known, was the US aircraft carrier fleet, which was safely at sea far from Hawaii on December 7. Less widely known was the third target: more than 4 million barrels of fuel oil stored at Hawaii, which the Japanese thought might be the most crucial target but were unable to find. Despite the devastation of the attack on Pearl Harbor, the attack was a failure in two of its three strategic objectives.
Like battleships and aircraft carriers, mainframes and servers receive most of the attention from experts who analyze security risks for a private network. Yet a network's "oil" might actually be the infrastructure functions, such as DNS, that keep it running.
DNS: At Risk?
Because DNS neither stores nor transmits proprietary data, it might seem an unattractive target for attackers. But DNS can attract several types of attacks—for example, someone could intercept DNS registrations and use them to impersonate users.
DNS deserves protection because its functionality is vital and the data it stores is valuable. In terms of functionality, DNS makes an appealing target, if only for Denial of Service (DoS) attacks. Anyone who has experienced a complete DNS failure realizes that it can be crippling. And the data that DNS stores is valuable, especially to malicious intruders. DNS zone files often contain the names and addresses of network routers, servers, and mainframe hosts; the name of virtually every system; and even alias (i.e., Canonical Name—CNAME) resource records that are used specifically for applications. Although ignorance of system names or IP addresses might not stop intruders, it can delay them, sometimes long enough to be detected.
Microsoft, at least since the introduction of Windows 2000, seems aware of the importance of DNS security. Making just six changes in your network security will bring your Windows DNS server defenses up to speed.
Step 1: Set Up DNS Zones for Internal and External Use
The first step in ensuring that DNS doesn't become a security liability begins when you select zone names. Many organizations chose their domain name long ago, and changing it (and any code that relies on it) would be time-consuming and expensive. If that's the case, so be it.
But if you're designing a new implementation, be aware that the best philosophy is to never willingly give out information, no matter how unimportant it might seem. Most organizations use the same name (e.g., mightymouse.com) both internally and externally. Using the same DNS domain name inside and outside your network means that everyone who sees an employee's email address knows part of the name of all your internal servers. But if you use mightymouse.com on the Internet and mm.com internally, you place one more protective barrier around your systems. Using one zone name for your external (public Internet) presence and another zone name internally—especially behind your firewall—isn't difficult and costs nothing.