Versions Compared

Old Version 10

changes.mady.by.user Steven Kim

Saved on

compared with

New Version 11

changes.mady.by.user Steven Kim

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  1. MUST: Lock down the host configuration (hardening).
    1. MUST: Uninstall/disable services and software packages that are not required for offering DNS service on the system.
    2. MUST: Only run DNS software on the systems that will be offering DNS service (i.e.: do not co-locate with web server / mail server, etc.).
    3. MUST: Enable all relevant logging channels and levels for the DNS subsystem, including suitable retention policies. Send logs to a central location for archiving, inspection and auditing.
    4. MAY: Query logging for audit purposes/incident analysis (local laws and regulations permitting).
  2. MUST: Limit user permissions and application access to system resources. File permissions and ownership restrictions must be set so that users and services not directly associated with management of the DNS subsystem have no read or write access to DNS service configuration, data files and database subsystems.
    1. MAY: Consider using AppArmor or another capabilities-based security mechanism to restrict which files and resources the DNS subsystem is allowed to access on the host OS.
    2. MAY: Consider placing the DNS service and associated support services in a containerized environment.
  3. MUST: System and service configuration files and zone files/data alike must be versioned, enabling detection of corruption/unauthorized changes, and making it possible to roll back changes.
  4. MUST: Filter access to management services.
    1. MUST: Restrict access to management IP addresses and services (e.g: SSH, web based configuration tools).
    2. MUST: Close everything except DNS by default.
  5. MUST: Access to the system console must be secured using cryptographic keys, protected with a passphrase (e.g. SSH keys) or using suitable two-factor authentication (OTP generator or token-based).

6. DNS security and privacy

  1. MUST: Authoritative zones must be DNSSEC signed and best practices for key management followed. ccTLD operators: see the ICANN DNSSEC guidebook for ccTLDs:
    https://www.icann.org/en/system/files/files/octo-029-12nov21-en.pdf
  2. MUST: Limit access to zone transfer between authoritative servers. Configure ACLs and TSIG in the DNS Authoritative software package to restrict zone transfers to secondary servers.
  3. MUST: Zone File Integrity
    Some method of controlling the zone file’s integrity for any unexpected modifications (malicious or accidental) must be implemented. For static zones, this could for example be done using the ZONEMD (RFC8976) message digest and Resource Record, or existing revision control / versioning procedures, if those are implemented (see Host and Service security). If the zone is dynamic, and producing a message digest for the entire zone is impractical due to size or rate of change, revision control and versioning must enable auditing to narrow down when a given error or malicious change was introduced.

...