Securing Your DNS Infrastructure in 5 Minutes Allan Liska Securing Your DNS Infrastructure in 5 Minutes
About Me 15+ Years Experience in Security Solutions Architect at Recorded Future Writes about: Security, Intelligence, DNS, Ransomware and NTP. Contact me: allan@allan.org or @uuallan
Despite Its Importance, DNS Security is often Overlooked This presentation is a 15-point checklist for improving your DNS security
1. What domains does your organization have, who registered them & when do they expire?
2. Where Are They Registered?
3. Centralize control of domains & create a domain registration policy
4. Enable Registrar 2-Factor Authentication
5. Lock Domains to Prevent Updates/Transfers
6. Enable DNSSEC for your Domains
7. Host Primary and Secondary DNS with Different Registrars
8. Pen-Test Your Registrars (NOT THEIR NETWORK!)
Musical Interlude
9. Use Split-View Recursive DNS
10. Patch your recursive DNS server
11. Block all outgoing traffic on TCP/UDP port 53 at the firewall Except, of course, traffic from your recursive DNS server…
12. Enable RPZs/Blacklists
13. Log DNS Traffic
14. MONITOR THE LOGS MONITOR THE LOGS MONITOR THE LOGS
15. Document all of the steps