Long ignored at the core of the network, DNS is the weak point of many organizations’ IT security, particularly infrastructure and applications on the Cloud, where DNS management is outsourced as part of an IaaS or SaaS offering. Security failures at the DNS and DHCP level can result in outages affecting a company’s Web sites, email, and other mission-critical applications such as CRM.
Solving this security problem requires expert knowledge of DNS/DHCP technology, a purpose-built solution optimized for security, and automatic patches and updates. dnsfly meets this challenge, delivering a multi-layered solution to DNS/DHCP security, combating the threat of nefarious attacks and service outages.
dnsfly features include support for DNSSEC –the standard for DNS security–the security-optimized OpenBSD (Physical Appliance) or Linux (Virtual Appliance) operating system and the following key features:.
Supports DNSSEC signed Zones
dnsfly supports DNSSEC, which uses certificates to maintain chain-of-trust. Convert non-DNSSEC forward and reverse zones to DNSSEC zones with the click of a button. Automatically resigns DNSSEC zones when records are updated.
Hardended Linux OS
dnsfly uses Linux operating system that has been stripped of all unnecessary ports and services, reducing potential points of attack.
dnsfly comes with a packet filter (PF) firewall, a BSD licensed stateful packet filter which is used for firewall configurations.
Supports Transaction Signatures (TSIGs)
Secret key transaction authentication for DNS (TSIG) is a way for DNS servers to authenticate zone transfers or dynamic updates between servers.
Recursion off by default
Recursive queries are turned off by default to improve security
dnsfly supports detailed logging of queries and zone transfers for monitoring and compliance
Masked BIND Version Number
Allows administrators or authorized users to hide the BIND version number and configure what is publicly displayed. This prevents an attacker from customizing their attack to the particular version used.
dnsfly runs BIND in a chroot in a “jailed” environment. A “jail” limits the ability of a process to acquire resources outside a limited area.
dnsfly appliances can be frequently updated to address industry published vulnerabilities and product enhancements.