Friday, August 28, 2015

Tabula Rosa Systems Via US-CERT - Controlling Outbound DNS Access



National Cyber Awareness System:
TA15-240A: Controlling Outbound DNS Access
08/28/2015 01:31 PM EDT

Original release date: August 28, 2015

Systems Affected

Networked systems

Overview

US-CERT has observed an increase in Domain Name System (DNS) traffic from client systems within internal networks to publically hosted DNS servers. Direct client access to Internet DNS servers, rather than controlled access through enterprise DNS servers, can expose an organization to unnecessary security risks and system inefficiencies. This Alert provides recommendations for improving security related to outbound DNS queries and responses.

Description

Client systems and applications may be configured to send DNS requests to servers other than authorized enterprise DNS caching name servers (also called resolving, forwarding or recursive name servers). This type of configuration poses a security risk and may introduce inefficiencies to an organization.  

Impact

Unless managed by perimeter technical solutions, client systems and applications may connect to systems outside the enterprise’s administrative control for DNS resolution. Internal enterprise systems should only be permitted to initiate requests to and receive responses from approved enterprise DNS caching name servers. Permitting client systems and applications to connect directly to Internet DNS infrastructure introduces risks and inefficiencies to the organization, which include:
  • Bypassed enterprise monitoring and logging of DNS traffic; this type of monitoring is an important tool for detecting potential malicious network activity.
  • Bypassed enterprise DNS security filtering (sinkhole/redirect or blackhole/block) capabilities; this may allow clients to access malicious domains that would otherwise be blocked.
  • Client interaction with compromised or malicious DNS servers; this may cause inaccurate DNS responses for the domain requested (e.g., the client is sent to a phishing site or served malicious code).
  • Lost protections against DNS cache poisoning and denial-of-service attacks. The mitigating effects of a tiered or hierarchical (e.g., separate internal and external DNS servers, split DNS, etc.) DNS architecture used to prevent such attacks are lost.  
  • Reduced Internet browsing speed since enterprise DNS caching would not be utilized.

Solution

Implement the recommendations below to provide a more secure and efficient DNS infrastructure. Please note that these recommendations focus on improving the security of outbound DNS query or responses and do not encompass all DNS security best practices.
  • Configure operating systems and applications (including lower-tier DNS servers intended to forward queries to controlled enterprise DNS servers) to use only authorized DNS servers within the enterprise for outbound DNS resolution.
  • Configure enterprise perimeter network devices to block all outbound User Datagram Protocol (UDP) and Transmission Control Protocol (TCP) traffic to destination port 53, except from specific, authorized DNS servers (including both authoritative and caching/forwarding name servers).  
    • Additionally, filtering inbound destination port 53 TCP and UDP traffic to only allow connections to authorized DNS servers (including both authoritative and caching/forwarding name servers) will provide additional protections. 
  • Refer to Section 12 of the NIST Special Publication 800-81-2 for guidance when configuring enterprise recursive DNS resolvers.
  ================================================================

Special Bulletin - My just released book, "You're Hired. Super Charge Your Email Skills in 60 Minutes! (And Get That Job...) is now on sales at Amazon.com 

Landing your next job has as much to do with getting your email opened and read as it does with your qualifications.  Job searches don’t work the way they used to. Employers use email to weed out job candidates as they search for the perfect match.  Crafting effective, professional messages could make all the difference in securing your next position.
It’s all about the email.  If your email is not opened and read, you can’t get to the next phase of getting your dream job!  Read this book and in just 60 minutes you’ll know how to write better email. Learn to compose emails effectively and soon you’ll hear those magic words:  “You’re Hired!”
“Being able to provide candidates with tips for using email more effectively in their job search, is something our MRINetwork recruiters truly value. This edition of Netiquette IQ provides a self-evaluative approach to improving email communication at every level… It offers recruiters a reference guide for ensuring candidates present themselves in the best manner when communicating with clients. The power of these best practices is measurable, especially when top clients land Impact Players.” Scott Bass, Director of Marketing and Communications, MRINetwork® EXPERTS IN GLOBAL SEARCH

Paul Babicki is the founder and president of Tabula Rosa Systems (www.tabularosa.net), a company that sells network, security, email filtering as well as email grammar, tone and content software. Paul’s first book is “Netiquette IQ A Comprehensive Guide to Improve, Enhance and Add Power to Your Email.” Check out his popular blog at (http://NetiquetteIQ.blogspot.com)

=========================================

  Great Netiquette To All!


===========================================================


For a great email parody, view the following link:

https://www.youtube.com/watch?v=HTgYHHKs0Zw&__scoop_post=bcaa0440-2548-11e5-c1bd-90b11c3d2b20&__scoop_topic=2455618
============================================== 
**Important note** - contact our company for very powerful solutions for IP management (IPv4 and IPv6, security, firewall and APT solutions:

www.tabularosa.net

In addition to this blog, Netiquette IQ has a website with great assets which are being added to on a regular basis. I have authored the premiere book on Netiquette, “Netiquette IQ - A Comprehensive Guide to Improve, Enhance and Add Power to Your Email". . You can view my profile, reviews of the book and content excerpts at:

 www.amazon.com/author/paulbabicki

 If you would like to listen to experts in all aspects of Netiquette and communication, try my radio show on BlogtalkRadio  Additionally, I provide content for an online newsletter via paper.li. I have also established Netiquette discussion groups with Linkedin and Yahoo.  I am also a member of the International Business Etiquette and Protocol Group and Minding Manners among others. Further, I regularly consult for the Gerson Lehrman Group, a worldwide network of subject matter experts and have been a contributor to numerous blogs and publications. 

Lastly, I am the founder and president of Tabula Rosa Systems, a company that provides “best of breed” products for network, security and system management and services. Tabula Rosa has a new blog and Twitter site which offers great IT product information for virtually anyone.
==============================================
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)