Industry best practices (was Re: large organization nameservers sending icmp packets to dns servers)

Sean Donelan sean at
Wed Aug 8 17:22:33 UTC 2007

On Tue, 7 Aug 2007, Kevin Oberman wrote:
> This has been a pain for me for years. I have tried to reason with
> security people about this and, while they don't dispute my reasoning,
> they always end up saying that it is the "standard" practice and that,
> lacking any evidence of what it might be breaking, it will continue to
> be blocked. And I don't mean small companies, either. One of the biggest
> issues I have is with one of the countries largest government funded
> research labs.

Having worked on both sides of the fence, i.e. I was a card-carrying 
member of both ASIS and NFPA, I used grumbled about the kooky things 
sysadmins and programmers did in the name of "security" as much as I 
grumbled about the kooky things security folks did in the name of 
"security." Heck, if programmers only produced bug-free software and 
sysadmins kept only well configured systems, security people would 
have a lot less work to do.

What are the industry best practices for keeping DNS servers secure?

CERT publishes a document on securing DNS:

NIST publishes a document on securing DNS:

CMYRU publishes a document on securing DNS:

Microsoft publishes a document on securing DNS:

IETF publishes a document on operational (including security) requirements 
for root DNS servers:

While there is a lot in common, they each also have variations and 
omissions.  Especially when it comes to some possibly obscure interactions
with many different protocols and applications. The relationships between 
IP, ICMP, TCP, UDP and DNS seems to be tough for many people to get 
right.  When you add undocumented "common knowledge" and other applications
leveraging DNS for all sorts of stuff besides name/address resolution, its 
the typical programmer generated pile of spaghetti.

Its often simplier to wait for something to break before you fix it. I 
know many sysadmins, programmers and even security people, that use that
philosphy to decide which things to work on today.

The good thing about security folks (and their cousins, the auditors) is 
most are compliance driven.  So if you get a new Industry Best Practice, 
often they will become your friend enforcing whatever that says.

So what should the Industry Best Practice(s) for DNS servers (root, 
authoritative and recursive) be?  And what should it say about the
interaction between IP/ICMP and TCP/UDP?  And maybe we'll even get
G-Root to follow it.

More information about the NANOG mailing list