From National Institute of Standards and Technology | Nov 11, 2010
The Internet is the world's largest computing network, with hundreds of millions of
users. From the perspective of a user, each node or resource on this network is
identified by a unique name—the domain name — such as www.nist.gov.
However, from the perspective of network equipment that routes communications across
the Internet, the unique identifier for a resource is an Internet Protocol (IP)
address, such as 172.30.128.27. To access Internet resources by user-friendly domain
names rather than IP addresses, users need a system that translates domain names to IP
addresses and back. This translation is the primary task of an engine called the Domain
Name System (DNS).
The DNS infrastructure is made up of computing and communication entities that are
geographically distributed throughout the world. There are more than 250 top-level
domains, such as .gov and .com, and several million second-level domains, such as
nist.gov and ietf.org. Accordingly, there are many name servers in the DNS
infrastructure, which each contain information about a small portion of the domain name
space. The DNS infrastructure functions through collaboration among the various
entities involved. The domain name data provided by DNS is intended to be available to
any computer located anywhere in the Internet.
This document provides deployment guidelines for securing DNS within an enterprise.
Because DNS data is meant to be public, preserving the confidentiality of DNS data
pertaining to publicly accessible IT resources is not a concern. The primary security
goals for DNS are data integrity and source authentication, which are needed to ensure
the authenticity of domain name information and maintain the integrity of domain name
information in transit.
The attached Zip file includes:
- Intro Page.doc
- Cover Sheet and Terms.doc
- Secure Domain Name System (DNS) Deployment Guide.pdf
