How to protect DNS server from hackers

Our network is usually protected by a firewall software. But my predecessor put both the primary / secondary DNS server, responsible for dealing with domains outside the network world that are protected by firewalls. Is there a best way to protect DNS servers from unwanted guests? ( Gather from the Internet ).

There have been a number of, but not many, ways of addressing the threat of DNS servers against hackers. You should set the DNS server after an existing firewall and give them IP addresses. When allowing port 53 to pass through the firewall, make sure that both TCP and UDP must be passed. I learned this 'bloody' lesson when I first set up DNS servers behind a firewall. Many interrupt issues in the Domain Name System (DNS) solution appear continuously until TCP and UDP are passed through the firewall at port 53.

Picture 1 of How to protect DNS server from hackers If the DNS server is behind the current firewall, you should place them in a subnet that is different from the subnet of a set of servers or devices already on the network. You should also set up an access control list on the switch of the DNS server subnet. This does not allow traffic to be transferred to the gateway on the network, but only through an Internet connection. Another option is to set the server on a DMZ connection. Some firewalls allow this option to be used, but additional network cards must be installed if the firewall does not have an auxiliary port available.

Or, you can set the DNS server after a private firewall that is not connected to the network. Thus, if a firewall or no DNS server is compromised, your network is not at risk, because the connection is not direct. If you install a third DNS server (assuming only 2 DNS servers were available at that time), you can perform other protection options. In this configuration, both DNS servers are secondary DNS systems. DNS information on the server cannot be changed directly. Non-authentication changes only last until the secondary server receives an update from the newly installed primary server. For successful implementation, the primary DNS server does not provide a generic IP address and is configured to contact only the secondary DNS server.

The DNS software you are using may allow some other options. For example, Bind 9 supports the component that calls the viewer, preventing the DNS server from coming out of the domain system solution on domain servers that are not configured to provide live information. That is, this is not a common source of DNS servers anyone can use. Extended traffic can be 'disrupted' using DNS servers for domains they don't serve.