Is unrestricted query access to dedicated DNS server considered an insecurity?



  • Let's say hypothetically a business has a network and some respective infrastructure. Importantly, a VPN for giving remote secure access to work resources, and a (not so)private DNS server for DNS but also things like blocking malware domains as your usual business DNS server does. The DNS server is internet facing and accessible. However, the DNS server is not configured to only serve requests that come from the network/VPN... it will respond and serve any request it gets from the internet. Is this an insecurity? It's not as if someone resolving domains with your server really means anything, however at the same time this also means that an unrelated, unauthenticated third party gets to use the server.



  • Is this an insecurity?

    It is not an insecurity by itself but it is needlessly increasing the attack surface. And this can cause security problems.

    It can lead to availability problems due to DoS attacks possible from the internet. It can lead to sensitive information leaks since anybody could query the DNS server and gain information about hostnames and IP used inside a company. And if there are security issues in the DNS server they can be exploited directly from the internet, i.e. there is no need to be inside a trusted network already.



Suggested Topics

  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2