Detections
Analytics

1 - Name Server Roles and Architecture

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

DNS name servers are a foundational part of your network architecture. How many name servers you need and what roles they should play depends on your organization network architecture. The following is a list of the roles for Domain Name Servers:

Master Authoritative Only
A master name server is a master or authoritative name server for one or more domains.The master name server is the source of authority where administrators will make their DNS record changes.

Slave Authoritative Only
A slave name server is a name server that is authoritative for the domains, but receives all information and updates via zone transfers from a master name server or sometimes from another slave name server.

Caching Only
A caching only name server is not authoritative for any domain, but provides DNS service for other clients and systems, and will perform recursive DNS queries on behalf of its clients, and will cache answers to improve performance.

Forwarder
A forwarder name server is one that forwards queries to another name server to do the work of looking up the answer. The goal is to aggregate the work in order to make better usage of large caches, or sometimes to save on network bandwidth.

Rationale:

There are wide varieties of mixed roles that are possible, but not necessarily recommended. Any authoritative name server will also cache answers, and caching name servers may be authoritative for domains. It is also possible to have multiple master name servers and to mix master and slave by having a name server act as a master for some domains while acting as a slave for others. Simplicity in your architecture should be a leading goal. Mixing name server roles is not recommended for most situations. There are specific threats and mitigating controls for each role, and by mixing these roles, you may be aggregating the risks and preventing a wise separation of services. For example, external slave name servers have the highest threat level, and therefore should have the least information, the least functionality, and most stringent security configuration. While the internal caching name servers should not be exposed to external traffic as, a compromise or a poisoned cache on these servers would constitute an external attack on your internal clients. Likewise, your internal authoritative name servers typically contain sensitiveinformation that should not be exposed to external queries, or even the external responses that the internal caching name server will be receiving. Separating these roles significantlymitigates these threats.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

Design and document your DNS architecture, including the specific roles for each DNS server, the major security controls in place, and what networks will be able to query each server. Also, consider what sub-domains will be used and managed, how e-mail will be delivered, and how any updates will be performed.

Item Details

Plugin: Unix

Control ID: 762ff4f294eede939dfb272293884e3b5386b6c4e60bf01cc1e8f61d09f173f8