{"id":3090,"date":"2015-08-31T17:59:35","date_gmt":"2015-08-31T17:59:35","guid":{"rendered":"https:\/\/live-infoblox-blog.pantheonsite.io\/?p=3090"},"modified":"2020-05-06T10:30:10","modified_gmt":"2020-05-06T17:30:10","slug":"uncle-sam-wants-you-to-control-outbound-dns","status":"publish","type":"post","link":"https:\/\/www.infoblox.com\/blog\/company\/uncle-sam-wants-you-to-control-outbound-dns\/","title":{"rendered":"Uncle Sam Wants You… To Control Outbound DNS"},"content":{"rendered":"

\"\"<\/p>\n

The U.S. Department of Homeland Security\u2019s Computer Emergency Readiness Team (US-CERT) released an alert on Aug. 28, 2015, regarding the importance of controlling outbound DNS access (https:\/\/www.us-cert.gov\/ncas\/alerts\/TA15-240A<\/a>). In particular, US-CERT notes an increase in the number of client systems sending queries directly to Internet name servers, and stresses the need to prevent this, both for security\u2019s and efficiency\u2019s sake.<\/p>\n

I\u2019ve been saying this for years!<\/p>\n

There are two common security policies with respect to outbound Domain Name System (DNS) access.\u00a0 Some organizations allow any internal Internet Protocol (IP) address to send DNS queries to any name server on the Internet.\u00a0 In fact, that\u2019s the default policy in some Internet firewalls.\u00a0 This provides a lot of flexibility, of course:\u00a0 Users can configure their clients to use OpenDNS or Google Public DNS instead of their IT department\u2019s name servers, and an experienced user can use a DNS query tool such as dig or nslookup to troubleshoot DNS resolution problems.<\/p>\n

Other organizations only permit a limited set of authorized internal name servers to send DNS queries to Internet IP addresses.\u00a0 Users must use the approved set of internal name servers to resolve domain names; they can\u2019t just opt to use OpenDNS or Google Public DNS, and troubleshooting DNS problems is more cumbersome.<\/p>\n

Admittedly, I was a little late to the \u201climited DNS access\u201d party, requiring a nudge from my friend\u00a0Nate Campi<\/a>\u00a0to accept the wisdom of not allowing internal stub resolvers and name servers to query any old Internet name server they like (see this 2012\u00a0blog post<\/a>\u00a0for my\u00a0mea culpa<\/i>).\u00a0 The last straw was DNSChanger, a Trojan that reconfigured stub resolvers to point them to hostile open recursive name servers on the Internet, which would substitute, uh, legitimate web advertising with advertising from another company (see this Wikipedia\u00a0article<\/a>\u00a0for details).<\/p>\n

Given that the DNSChanger infrastructure has been taken down, what\u2019s the danger of allowing queries from internal clients to any Internet name server?<\/p>\n