1.4 Use Secure Upstream Caching DNS Servers


Caching name servers often forward queries to another caching name server to allow the name service work to be aggregated and improve performance by taking advantage of the cache of an upstream name server. The default caching name server provided by the Internet service provider is often used in this manner. This may also be a security weakness by relying on insecure servers outside the organization's control and security policies.


The security of all of the external connections that your systems on your network depend in part on getting accurate IP addresses for external names. If the upstream caching name server is compromised, or has its cache poisoned with malicious records, then your entire network may be subject to an attack which may redirect web, email, or VPN traffic to malicious servers, or may cause denial of services attacks. Therefore, it is important to evaluate the security of the upstream caching name servers to reduce the risk of DNS attacks propagated to your network via the upstream provider. There are a number of security companies that offer secure caching DNS services that are worth considering. Features to look for and test include:

Blocking of traffic to websites known to contain malware.

Configurable categories for blocking inappropriate content, such as adult content.

Detecting and blocking of malware communications to an external command and control server.

Prevent DNS spoofing by ensuring the integrity and authenticity of all DNS responses.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.


Perform the following for remediation:

Select an external DNS provider that sufficiently mitigates malicious DNS traffic to meet your organizational requirements.

Review network architectural, approved internal DNS servers, and prepare to block outbound DNS traffic, except to the approved DNS servers from the internal caching name servers.

Review, test and document the approved external DNS servers.

Configure the internal caching-only DNS servers to forward queries to the approved external caching DNS server. The forwarders directive similar to the example below may be placed in the server options directive.

forwarders { acl_of_approved_servers; };

Block outbound DNS traffic, except to the approved external DNS servers from the internal caching name servers.

See Also