← Back

Network Segmentation and Access Control

Network segmentation and access control are foundational components of modern cybersecurity. By dividing networks into logical zones and enforcing strict access rules, organizations can reduce attack surfaces, prevent lateral movement, and maintain compliance with security standards.

One particularly critical use case for segmentation and access control lies in Domain Name System (DNS) infrastructure. DNS servers are frequent targets for attackers because they play a pivotal role in network operations. Misconfigurations in DNS access can lead to data leaks, unauthorized network reconnaissance, and even service disruption.

This article explores the importance of isolating authoritative and recursive DNS servers and demonstrates how to configure Access Control Lists (ACLs) to restrict DNS access.

Why Isolating Authoritative and Recursive DNS Servers Matters

DNS servers can serve different roles:

  • Authoritative DNS Servers
    Store and provide responses for specific domain records. They should only answer queries about the domains they are responsible for.

  • Recursive DNS Resolvers
    Query other DNS servers on behalf of clients. They should only serve trusted internal clients, not the internet at large.

Risks of Mixing Roles

If authoritative and recursive functions are not isolated:

  • Cache Poisoning: Attackers could manipulate cached results, redirecting users to malicious destinations.
  • DNS Amplification Attacks: Open recursive resolvers can be abused in DDoS attacks.
  • Information Disclosure: Internal DNS records could be leaked if external users query internal resolvers.

Best Practice:

  • Place authoritative DNS servers in a DMZ or public-facing network segment, strictly serving external clients.
  • Place recursive DNS servers in a segregated internal network segment, only accessible to trusted internal clients.

Access Control with ACLs

To prevent unauthorized access, DNS services should be restricted using Access Control Lists (ACLs). ACLs define which clients (by IP or network range) can query a DNS server.

Example: BIND (named.conf)

Below is a sample configuration for BIND to restrict recursive queries:

acl "trusted-clients" {
    192.168.1.0/24;   # Internal LAN
    10.0.0.0/16;      # Internal Data Center
    localhost;        # Local machine
};
 
options {
    recursion yes;
    allow-recursion { trusted-clients; };
    allow-query { any; }; # Authoritative responses are public
    allow-query-cache { trusted-clients; };
};

In this setup:

  • Only trusted networks can use recursion.
  • Authoritative responses are available to all (publicly accessible domains).
  • Cached query results are restricted to trusted clients.

Example: Unbound (unbound.conf)

For Unbound, recursion and ACLs are configured as follows:

server:
    interface: 0.0.0.0
    access-control: 127.0.0.0/8 allow
    access-control: 192.168.1.0/24 allow
    access-control: 10.0.0.0/16 allow
    access-control: 0.0.0.0/0 refuse  # Block all others

This ensures:

  • Internal networks can query the resolver.
  • External clients are denied access.

Segmentation Enforcement with Firewalls

ACLs should be complemented with network-level segmentation. Firewalls can ensure that:

  • Recursive DNS servers are not exposed to the internet.
  • Authoritative servers are isolated in their own segment and only accept queries on port 53 (UDP/TCP).
  • Management access (SSH, RDP, etc.) is further restricted to administrative subnets.

Example iptables rule to block external recursion:

# Block all external DNS requests to recursive resolver
iptables -A INPUT -p udp --dport 53 -s ! 192.168.1.0/24 -j DROP
iptables -A INPUT -p tcp --dport 53 -s ! 192.168.1.0/24 -j DROP

Conclusion

Network segmentation and access control are critical defenses for DNS infrastructure. By isolating authoritative and recursive DNS servers and implementing ACL-based restrictions, organizations can:

  • Prevent misuse of recursive resolvers in amplification attacks.
  • Safeguard internal DNS data from exposure.
  • Maintain a robust, layered security model.

When combined with firewall enforcement and continuous monitoring, these practices provide strong protection for one of the most vital services in the network: DNS.

***
Note on Content Creation: This article was developed with the assistance of generative AI like Gemini or ChatGPT. While all public AI strives for accuracy and comprehensive coverage, all content is reviewed and edited by human experts at IsoSecu to ensure factual correctness, relevance, and adherence to our editorial standards.