1.4 Use Secure Upstream Caching DNS Servers

Information

Caching name servers often forward queries to another caching name server to allow the name service work to be aggregated and improve performance by taking advantage of the cache of an upstream name server. The default caching name server provided by the Internet service provider is often used in this manner. This may also be a security weakness by relying on insecure servers outside the organization's control and security policies.

Rationale:
The security of all of the external connections that your systems on your network depend in part on getting accurate IP addresses for external names. If the upstream caching name server is compromised, or has its cache poisoned with malicious records, then your entire network may be subject to an attack which may redirect web, email, or VPN traffic to malicious servers, or may cause denial of services attacks. Therefore, it is important to evaluate the security of the upstream caching name servers to reduce the risk of DNS attacks propagated to your network via the upstream provider.

There are a number of security companies that offer secure caching DNS services that are worth considering. Features to look for and test include:
- Blocking of traffic to websites known to contain malware.
- Configurable categories for blocking inappropriate content, such as adult content.??
- Detecting and blocking of malware communications to an external command and control server.
- Prevent DNS spoofing by ensuring the integrity and authenticity of all DNS responses.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

Perform the following for remediation:

- Review network architectural, approved internal DNS servers, and block outbound DNS traffic, except for the approved DNS servers.
- Select an external DNS provider that sufficiently mitigates malicious DNS traffic to meet your organizational requirements??
- Review, test and document the approved external DNS servers, and configure the internal caching-only DNS servers to use the approved external caching DNS server.

See Also

https://workbench.cisecurity.org/files/1735