NCCIC / US-CERT   
      
   National Cyber Awareness System:   
      
   TA15-240A: Controlling Outbound DNS Access   
   08/28/2015 01:31 PM EDT   
      
      
   Original release date: August 28, 2015   
      
   Systems Affected   
   Networked systems   
      
   Overview   
   US-CERT has observed an increase in Domain Name System (DNS) traffic from   
   client systems within internal networks to publically hosted DNS servers.   
   Direct client access to Internet DNS servers, rather than controlled access   
   through enterprise DNS servers, can expose an organization to unnecessary   
   security risks and system inefficiencies. This Alert provides recommendations   
   for improving security related to outbound DNS queries and responses.   
      
   Description   
   Client systems and applications may be configured to send DNS requests to   
   servers other than authorized enterprise DNS caching name servers (also called   
   resolving, forwarding or recursive name servers). This type of configuration   
   poses a security risk and may introduce inefficiencies to an organization.   
      
   Impact   
   Unless managed by perimeter technical solutions, client systems and   
   applications may connect to systems outside the enterprise’s administrative   
   control for DNS resolution. Internal enterprise systems should only be   
   permitted to initiate requests to and receive responses from approved   
   enterprise DNS caching name servers. Permitting client systems and   
   applications to connect directly to Internet DNS infrastructure introduces   
   risks and inefficiencies to the organization, which include:   
      
   Bypassed enterprise monitoring and logging of DNS traffic; this type of   
   monitoring is an important tool for detecting potential malicious network   
   activity.   
   Bypassed enterprise DNS security filtering (sinkhole/redirect or   
   blackhole/block) capabilities; this may allow clients to access malicious   
   domains that would otherwise be blocked.   
   Client interaction with compromised or malicious DNS servers; this may cause   
   inaccurate DNS responses for the domain requested (e.g., the client is sent to   
   a phishing site or served malicious code).   
   Lost protections against DNS cache poisoning and denial-of-service attacks.   
   The mitigating effects of a tiered or hierarchical (e.g., separate internal   
   and external DNS servers, split DNS, etc.) DNS architecture used to prevent   
   such attacks are lost.   
   Reduced Internet browsing speed since enterprise DNS caching would not be   
   utilized.   
   Solution   
   Implement the recommendations below to provide a more secure and efficient DNS   
   infrastructure. Please note that these recommendations focus on improving the   
   security of outbound DNS query or responses and do not encompass all DNS   
   security best practices.   
      
   Configure operating systems and applications (including lower-tier DNS servers   
   intended to forward queries to controlled enterprise DNS servers) to use only   
   authorized DNS servers within the enterprise for outbound DNS resolution.   
   Configure enterprise perimeter network devices to block all outbound User   
   Datagram Protocol (UDP) and Transmission Control Protocol (TCP) traffic to   
   destination port 53, except from specific, authorized DNS servers (including   
   both authoritative and caching/forwarding name servers).   
   Additionally, filtering inbound destination port 53 TCP and UDP traffic to   
   only allow connections to authorized DNS servers (including both authoritative   
   and caching/forwarding name servers) will provide additional protections.   
   Refer to Section 12 of the NIST Special Publication 800-81-2 for guidance when   
   configuring enterprise recursive DNS resolvers. [1]   
   References   
   Secure Domain Name System (DNS) Deployment Guide   
   Revision History   
   August 28, 2015: Initial Release   
      
   ----------------------------------------------------------------   
   -------------- -   
      
   This product is provided subject to this Notification and this Privacy & Use   
   policy.   
      
      
   ----------------------------------------------------------------   
   -------------- -   
   A copy of this publication is available at www.us-cert.gov. If you need help   
   or have questions, please send an email to info@us-cert.gov. Do not reply to   
   this message since this email was sent from a notification-only address that   
   is not monitored. To ensure you receive future US-CERT products, please add   
   US-CERT@ncas.us-cert.gov to your address book.   
   OTHER RESOURCES:   
   Contact Us | Security Publications | Alerts and Tips | Related Resources   
   STAY CONNECTED:   
   Sign up for email updates   
      
   SUBSCRIBER SERVICES:   
   Manage Preferences  |  Unsubscribe  |  Help   
      
      
   ----------------------------------------------------------------   
   -------------- -   
   This email was sent to Fido4cmech@lusfiber.net using GovDelivery, on behalf   
   of: United States Computer Emergency Readiness Team (US-CERT) · 245 Murray   
   Lane SW Bldg 410 · Washington, DC 20598 · (888) 282-0870 Powered by GovDelivery   
      
   === Cut ===   
      
   --   
   Guardien Fide   :^)   
      
      Ben  aka cMech  Web: http://cmech.dynip.com   
                    Email: fido4cmech(at)lusfiber.net   
                 Home page: http://cmech.dynip.com/homepage/   
              WildCat! Board 24/7  +1-337-984-4794  any BAUD 8,N,1   
      
   --- GoldED+/W32-MSVC   
    * Origin: FIDONet - The Positronium Repository (1:393/68)