Ten things you should know about securing DNS您需要知道的10件与DNS安全有关的事情 作者:Thomas Shinder博士 微软认证系统工程师 翻译:endurer 2005.09.14第一稿 Keywords: Security | TCP/IP | Network security |
 |
|
Takeaway: 前言: 《endurer注:lead to v. 导致, 通向》 |
|
A DNS forwarder is a DNS server that performs DNS queries on behalf of another DNS server. The primary reasons to use a DNS forwarder are to offload processing duties from the DNS server forwarding the query to the forwarder and to benefit from the potentially larger DNS cache on the DNS forwarder. DNS转发器是代表其他DNS服务执行DNS查询的DNS服务器。主要原因是DNS转发器卸下从DNS服务器转发查询到转发器的处理任务,从DNS转发器潜在地更大DNS高速缓存中受益。 《endurer注:on behalf of adv. 代表...》 Another benefit of using a DNS forwarder is that it prevents the DNS server forwarding the requests from interacting with Internet DNS servers. This is especially important when your DNS server is hosting your internal domain DNS resource records. Instead of allowing your internal DNS servers to perform recursion and contacting DNS servers itself, configure the internal DNS server to use a forwarder for all domains for which it is not authoritative. 另一个好处是使用DNS转发器是它防止了DNS服务器转发来自与Internet相结合的DNS服务器的查询。这在您的DNS服务器是内部域DNS资源记录的宿主时特别重要。代替,而不是允许您的内部DNS服务自己执行递归和接触DNS服务器,配置内部DNS服务器为所有未授权域名使用转发器。《endurer注: A caching-only DNS server is one that is not authoritative for any DNS domains. It's configured to perform recursion or use a forwarder. When the caching-only DNS server receives a response, it caches the result and returns the answer to the system issuing the DNS query to the caching-only DNS server. Over time, the caching-only DNS server can amass a large cache of DNS responses, which can significantly improve DNS response times for DNS clients of that caching-only DNS server. 只缓存DNS服务器是针对未授权域名的。它被配置来执行递归或者使用转发器。当只缓存DNS服务器接收到请求,它缓存结果并返回答案给向只缓存DNS服务器发出DNS查询的系统。随着时间的过去,只缓存DNS服务器能积聚大量的DNS响应缓存,这将显著地提高只缓存DNS服务器的客户机的DNS响应时间。 《endurer注:over time 随着时间的过去》 Caching-only DNS servers can improve security for your organization when used as forwarders that are under your administrative control. Internal DNS servers can be configured to use the caching-only DNS server as their forwarders and the caching-only DNS server performs recursion on behalf of your internal DNS servers. Using your own caching-only DNS servers as forwarders improves security because you don't have to depend on your ISP's DNS servers as forwarders when you're unsure of the security configuration of your ISP's DNS servers. 当只缓存DNS服务器在您的管理控制下用作转发器时,能为您的组织机构提高安全。内部DNS服务器能配置为使用只缓存DNS服务器作为它们的转发器,并做为内部DNS服务器的代表执行递归。使用您自己的只缓存DNS服务器作为转发器提高了安全,因为您在不确信您的ISP(Internet服务提供者,下同)的DNS服务器的安全配置时,不必依赖您的ISP的DNS服务器作为转发器。 《endurer注: A DNS advertiser is a DNS server that resolves queries for domains for which the DNS advertiser is authoritative. For example, if you host publicly available resources for domain.com and corp.com, your public DNS server would be configured with DNS zone files for the domain.com and corp.com domains. DNS广告者是解析其授权的域名查询的DNS服务器。例如,如果您做为domain.com和corp.com的公开可用资源的宿主时,您的公共DNS服务器将配置上domain.com和corp.com域名区文件。 What sets the DNS advertiser apart from any other DNS server hosting DNS zone files is that the DNS advertiser answers queries only for domains for which it is authoritative. The DNS server will not perform recursion for queries to other DNS servers. This prevents users from using your public DNS server to resolve names in other domains. This increases security by lessening the risks associated with running a public DNS resolver, which include cache poisoning. 除DNS区文件宿主的其他DNS服务器之外的DNS广告者设置,是DNS广告者只回答其授权的域名的查询。DNS服务器将不执行向其他DNS服务器的查询递归。这防止用户使用您的公开DNS服务器去解析其他域名。通过减少与运行一个公开DNS解析者相关的风险,包括缓存中毒,增加了安全。 A DNS resolver is a DNS server that can perform recursion to resolve names for domains for which that DNS server is not authoritative. For example, you might have a DNS server on your internal network that's authoritative for your internal network domain, internalcorp.com. When a client on your network uses that DNS server to resolve the name techrepublic.com, that DNS server performs recursion by querying other DNS servers to get the answer. DNS解析者是可以执行递归以解析其未授权的域名的DNS服务器。例如,您可能有一个位于内部网络,授权内部网络域名internalcorp.com的DNS服务器。当网络中的客户机使用这台DNS服务器去解析techrepublic.com时,这台DNS服务器通过向其他DNS服务器查询来执行递归以获得答案。 The difference between this DNS server and a DNS resolver is that a DNS resolver is a DNS server that is dedicated to resolving Internet host names. A resolver could be a caching-only DNS server that isn't authoritative for any DNS domains. You can make the DNS resolver available to only your internal users, you can make it available only to your external users to provide a secure alternative to using a DNS server outside of your administrative control, or you can allow both internal and external users access to the DNS resolver. 这台DNS服务器和DNS解析者的区别是DNS解析者是专注解析Internet主机名。一个解析者可能是一个不授权DNS域名的只缓存DNS服务器。您能使DNS解析者只对内部用户们可用,您能使它只对外部用户们提供一个使用您管理控制外部的DNS服务器的安全的可选替代,或者您能允许内部和外部用户双方都访问DNS解析者。 DNS cache pollution is an increasingly common problem. Most DNS servers are able to cache the results of DNS queries before forwarding the response to the host issuing the query. The DNS cache can significantly improve DNS query performance throughout your organization. The problem is that if the DNS server cache is "polluted" with bogus DNS entries, users can subsequently be forwarded to malicious Web sites instead of the sites they intended to visit. DNS缓存污染是一个日益增长的共同问题。大多数DNS服务器能在转发响应提出查询的主机前缓存DNS查询结果。DNS缓存可显著地增强遍及您的组织机构的DNS查询性能。问题是如果DNS服务器缓存被假DNS入口“污染”,用户随后能被转发到替代恶意站点,而不是他们查访问的站点。 Most DNS servers can be configured to prevent cache pollution. The Windows Server 2003 DNS server is configured to prevent cache pollution by default. If you're using a Windows 2000 DNS server, you can configure it to prevent cache pollution by opening the Properties dialog box for the DNS server and clicking the Advanced tab. Select the Prevent Cache Pollution check box and restart the DNS server. 大多数DNS服务器可以配置以防止缓存污染。Windows Server 2003 DNS服务器默认配置为防止缓存污染。如果你正在使用Windows 2000 DNS服务器,您可以通过打开DNS服务器的属性对话框,并点击高级选项卡,选定“防止缓存污染”复选框,重新启动DNS服务器来配置它防止缓存污染。 Many DNS servers accept dynamic updates. The dynamic update feature enables these DNS servers to register DNS host names and IP addresses for hosts that use DHCP for host IP addressing. DDNS can be a great boon in reducing the administrative overhead for DNS administrators who otherwise would need to manually configure DNS resource records for these hosts. 一些DNS服务器接受动态更新。动态更新特性使这些DNS服务器能记录使用DHCP的主机的主机名和IP地址。在减少需要为主机的DNS资源记录另行人工配置的DNS管理员的管理费用上,DDNS是个实惠。 《endurer注: However, there can be a major security issue with DDNS updates if they are allowed unchecked. A malicious user can configure a host to dynamically update DNS host records of a file server, Web server, or database server and have connections that should be destined to those servers diverted to his machine instead of the intended target. 然而,在是否允许未检测的DDNS更新上可能有一个重大安全问题。一个恶意用户能配置一个主机为文件服务器,Web服务器,或数据库服务器的动态更新的DNS主机记录,有预定到这些服务器的连接转向他的机器而不是预期的目标。 You can reduce the risk of malicious DNS updates by requiring secure connections to the DNS server in order to perform the dynamic update. This is easily achieved by configuring your DNS server to use Active Directory integrated zones and requiring secure dynamic updates. All domain members will be able to dynamically update their DNS information in a secure context after you make this change. 你可以通过要求安全连接到DNS服务来执行动态更新来减少恶意DNS更新的风险.通过配置您的DNS服务器使用活动目录的集成区域(Active Directory Zone transfers take place between primary and secondary DNS servers. Primary DNS servers that are authoritative for specific domains contain writable DNS zone files that are updated as needed. Secondary DNS servers received a read-only copy of these zone files from primary DNS servers. Secondary DNS servers are used to improved DNS query performance throughout an organization or over the Internet. 区域文件更新发生在主力和第二DNS服务器之间。主力DNS服务器授权特定域名,包含在需要是更新的可写DNS区域文件。第二DNS服务器从主力DNS服务器接收这些区域文件的只读拷贝。第二DNS服务器用来增强整个组织机构或Internet的DNS查询性能。 However, zone transfers are not limited to only secondary DNS servers. Anyone can issue a DNS query that will cause a DNS server configured to allow zone transfers to dump the entirety of its zone database files. Malicious users can use this information to reconnoiter the naming schema in your organization and attack key infrastructure services. You can prevent this by configuring your DNS servers to deny zone transfer requests or by configuring the DNS servers to allow zone transfers only to specific servers in the organization. 然而,区域文件更新不只限于第二DNS服务器。任何人可以发布一个DNS查询,该查询将引起被配置为允许区域文件更新的DNS服务倾卸其区域数据库文件的入口。恶意用户可以使用这个信息来侦察您的组织机构的名计划,并攻击关键基本设施服务。你能通过配置DNS服务器拒绝区域文件更新请求,或者配置DNS服务器只允许区域文件更新组织机构内的特定服务器来防止。 Firewalls can be used to gain access control over who can connect to your DNS servers. For DNS servers that are used only for internal client queries, configure firewalls to block connections from external hosts to those DNS servers. For DNS servers used as caching-only forwarders, configure firewalls to allow DNS queries only from those DNS servers that use the caching-only forwarders. An especially important firewall policy setting is to block internal users from using the DNS protocol to connect to external DNS servers. 防火墙可以用于获得能连接到您的DNS服务器者的访问控制权。为只用于内部客户机查询的DNS服务器,配置防火墙阻塞来自外部主机对这台DNS服务器的连接。为用于只缓存转发器的DNS服务器,配置防火墙只允许使用只缓存转发器的DNS服务器的DNS查询。一个特别重要的防火墙策略设置是阻塞使用DNS协议去连接到外部DNS服务器的的内部用户。 On Windows-based DNS servers, you should configure access controls on the DNS server-related Registry settings so that only the accounts that require access to them are allowed to read or change those Registry settings. 对于基于Windows的DNS服务器,你要在与DNS服务器相关的登录设置上配置访问控制,这样只有要求访问它们的帐号被允许读或改变这些登记设置。 The HKLM/CurrentControlSet/Services/DNS key should be configured to allow only the Administrator and System account access, and these accounts should have Full Control permissions. (注册表中的)HKLM/CurrentControlSet/Services/DNS键需要配置为只允许管理员和系统帐号访问,并且这些帐号要有全部控制许可。 On Windows-based DNS servers, you should configure access controls on the DNS server-related file system entries so that only the accounts that require access to them are allowed to read or change those files. 对于基于Windows的DNS服务器,你要在与DNS服务器相关的文件系统入口上配置访问控制,这样只有要求访问它们的帐号被允许读或改变这些文件。 The %system_directory%/DNS folder and subfolders should be configured to allow only the system account to access the files, and the system account should be given Full Control permissions. %system_directory%/DNS文件夹及其子文件夹需要配置以只允许系统帐号访问文件,并且系统帐号要有全部控制许可。 |