Versions Compared

Old Version 3

changes.mady.by.user Steven Kim

Saved on

compared with

New Version 4

changes.mady.by.user Steven Kim

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Host and service security

  1. MUST: Lock down the host configuration (hardening).
    1. MUST: Uninstall/disable services and software packages that are not required for offering DNS service on the system.
    2. MUST: Only run DNS software on the systems that will be offering DNS service (i.e.: do not co-locate with web server / mail server, etc.).
    3. MUST: Enable all relevant logging channels and levels for the DNS subsystem, including suitable retention policies. Send logs to a central location for archiving, inspection and auditing.
    4. MUST: Configure the DNS service itself to only respond to queries originating from known subnets. This is to avoid probing and leaking of internal DNS information in case of misconfiguration of routing/perimeter security (ACLs).
    5. MAY: Query logging for audit purposes/incident analysis (local laws and regulations permitting).
  2. MUST: Limit user permissions and application access to system resources. File permissions and ownership restrictions must be set so that users and services not directly associated with management of the DNS subsystem have no read or write access to DNS service configuration, data files and database subsystems.
    1. MUST: System and service configuration files must be versioned, enabling detection of corruption/unauthorized changes, and making it possible to roll back changes.
    2. MAY: Consider using AppArmor or another capabilities-based security mechanism to restrict which files and resources the DNS subsystem is allowed to access on the host OS.
    3. MAY: Consider placing the DNS service and associated support services in a containerized environment.
  3. MUST: Filter access to management services.
    1. MUST: Restrict access to management IP addresses and services (e.g: SSH, web-based configuration tools).
    2. MUST: Close everything except DNS by default.
  4. MUST: Secure access to the system console using cryptographic keys, protected with a passphrase (e.g. SSH keys) or using suitable two-factor authentication (OTP generator or token-based).

...