You installed a secondary DNS server on the same demilitarized zone (DMZ) mediated by a firewall as the primary DNS server to improve the availability of DNS services. Which of the following is the best strategy to support the DNS zone transfer between DNS servers? (Wentz QOTD)
A. Create a firewall policy that allows UDP 53 from the primary DNS server to the secondary
B. Create a firewall policy that allows TCP 53 from the primary DNS server to the secondary
C. Create a firewall policy that allows DNSSEC from the primary DNS server to the secondary
D. Create no firewall policy and have the primary DNS server communicates with the secondary directly
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
My suggested answer is D. Create no firewall policy and have the primary DNS server communicates with the secondary directly.
Wentz’s book, The Effective CISSP: Security and Risk Management, helps CISSP and CISM aspirants build a solid conceptual security model. It is a tutorial for information security and a supplement to the official study guides for the CISSP and CISM exams and an informative reference for security professionals.
The primary DNS server and secondary DNS servers are on the same zone, DMZ specifically, which shares the same security requirements, so there is no need to create firewall policies to mediate the traffic between DNS servers.
A firewall typically mediates network traffic in two ways: context-based and zone-based. The traditional context-based approach is also known as context-based access control (CBAC).
Zone-based Firewalls
A firewall comprises a couple of network interfaces that can be configured or assigned to zones. A security zone or zone for short is a collection of firewall interfaces that share the same security requirements. Traffic between zones is controlled by firewall policies. Please refer to Firewall Interfaces, Zones, and Tiers for more.
Zone Pairs
Zone Pairs
A zone pair can be defined as a pairing of two zones in a direction. A firewall traffic policy is then applied to a zone pair. Firewall traffic policy is applied unidirectional between zones. Two zone pairs are required for traffic on both directions. However, the second zone pair is not required if using stateful inspection, because reply traffic is permitted because of inspection.
Source: OmniSecu
Context-based Firewalls
The ACLs provide traffic filtering and protection till the transport layer while on the other hand, CBAC provides the same function upto the application layer. With the help of CBAC configuration, the router can act as a firewall.
Source: GeeksForGeeks
Context-based access control (CBAC) intelligently filters TCP and UDP packets based on application-layer protocol session information and can be used for intranets, extranets and internets.
Source: BlackSheepNetworks
The Context-Based Access Control (CBAC) feature of the Cisco IOS® Firewall Feature Set actively inspects the activity behind a firewall. CBAC specifies what traffic needs to be let in and what traffic needs to be let out by using access lists (in the same way that Cisco IOS uses access lists). However, CBAC access lists include ip inspect statements that allow the inspection of the protocol to make sure that it is not tampered with before the protocol goes to the systems behind the firewall.
Source: Cisco
DNS Zones
DNS namespace is a logical structure of DNS domain names organized in a hierarchy or tree. A DNS zone is an administrative structure of a portion of the DNS namespace. A DNS zone file is a repository of the zone.
The primary DNS server hosts a writable zone that can be transferred to one or more secondary DNS servers. The copy or replica on a secondary DNS server is typically read-only. However, the replica can be writeable, e.g., Microsoft AD-integrated DNS; it depends on the vendor’s implementation.
Zone transfer between the primary DNS server and secondary DNS servers uses TCP port 53. It can be done periodically or notification-based. The primary DNS server may maintain a white list of secondary DNS servers for security.
The DNS client is also known as DNS resolver, which sends a recursive DNS query to the DNS server using UDP port 53. The DNS server then issues multiple non-recursive or iterative queries to solve the query from the DNS client.
Reference
- Domain Name System (Wikipedia)
- DNS zone transfer
- DNSSEC – What Is It and Why Is It Important?
- Basic Zone-Based Firewall Fundamentals
- Network Security Zones
- WORKING WITH ZONES (Red Hat)
- Zone Pairs
- Context-based access control
- Context based Access Control (CBAC)
- The Cisco IOS Firewall Feature Set and Context-Based Access Control
- Context Based Access Control (LDAPWiki)
您在與主 DNS 服務器相同的非軍事區 (DMZ) 上安裝了輔助 DNS 服務器作為主 DNS 服務器,以提高 DNS 服務的可用性。 以下哪一項是支持 DNS 服務器之間 DNS 區域傳輸的最佳策略? (Wentz QOTD)
A. 創建允許 UDP 53 從主 DNS 服務器到輔助 DNS 服務器的防火牆政策
B. 創建允許 TCP 53 從主 DNS 服務器到輔助 DNS 服務器的防火牆政策
C. 創建允許 DNSSEC 從主 DNS 服務器到輔助 DNS 服務器的防火牆政策
D. 不創建防火牆政策,讓主 DNS 服務器直接與輔助 DNS 服務器通信
B
Pingback: DNS 服務器之間的區域傳輸(Zone transfer) – Choson資安大小事