1- Your DNS Servers should NOT Respond to Name Resolution Requests from Any Unauthorized Networks (F5-AFM)
2- Use a Firewall solution to Filter both Source and Destination Addresses and Ports (F5-AFM)
3- “Zone Transfers” should be targeted at Specific DNS Servers (F5-DNS)
4- Limit the Number of DNS Servers that are Allowed to Start a DNS Zone Transfer (F5-DNS)
5- In case of configuring "DNS-EXPRESS", Consider using of "TSIG Key" (F5-DNS)
6- Configure “IPsec Policy“ to Protect Zone Transfers between PRIMARY/SECONDARY DNS Servers (F5-AFM)
7- To protect from Spoofing of DNS Records, use the only “Secure Dynamic Updates” option for Dynamic Update
8- Consider using “Active Directory Integrated Zones”, if you are using Active Directory
9- “Disable” Recursion and Forwarder on all DNS Servers that do NOT require it (F5-DNS)
10- Remove All “Unnecessary Services” from your DNS Servers
11- Consider Adding a Second DNS Server on a “Different Subnet“ to further augment protection from DoS Attacks
12- Deploy DDoS Protection Engine to Mitigate any types of Anomalies targeting your DNS Servers (F5-AFM/DHD)
13- Consider using "DNSSEC" Solution instead of the Traditional DNS which uses "Unsigned Resource Records" (F5-DNS)
14- Regularly Monitor your DNS Servers and the DNS Log Files (F5-DNS)
No comments:
Post a Comment