Secure Domain Name System (DNS) Deployment Guide

The Domain Name System (DNS) is a distributed computingsystem that enables access to Internet resources by user-friendly domain names rather than IP addresses, by translating domain names to IP addresses and back. The DNS infrastructure is made up of computing andcommunication entities called Name Servers each of which contains information about a small portion of the domain name space. The domain name data provided by DNS is intended to be available to any computer located anywhere in the Internet.This document provides deploymentguidelines for securing DNS within an enterprise. Because DNS data is meant to be public, preserving the confidentiality of DNS data. The primary securitygoals for DNS are data integrity and source authentication, which are needed to ensure the authenticity of domain name information and maintain the integrity of domain name information in transit. This documentprovides extensive guidance on maintaining data integrity and performing source authentication. DNS components are often subjected to denial-ofservice attacks intended to disrupt access to the resources whose domainnames are handled by the attacked DNS components. This document presents guidelines for configuring DNS deployments to prevent many denial-of-service attacks that exploit vulnerabilities in various DNS components.