Security Considerations

Overview

NetoDNS has API access to Netography Fusion to upload DNS records. A threat actor that gains access to the system you deploy NetoDNS on in your environment could read these credentials, modify the NetoDNS code, or access these APIs directly. Therefore, it is important to implement the security concept of least privilege to reduce the risk of unauthorized access to this system.

Best Practices

Here are recommended best practices to use in deploying NetoDNS in production environments:

  • Use the NetoDNS container for deployment. It is built on the Google distro-less container image, which significantly reduces the attack surface compared to a default Linux distribution.

  • If you choose to deploy NetoDNS as a software package, deploy it on a dedicated system that adheres to your organization's security policies and is updated and hardened, and all external services that are not strictly required are disabled (e.g., no open ports or services except SSH and TCP port 514 NetoDNS is listening on). Limit network access to the system to authorized administrators only. Exercise general security best practices in operating a limited-use system of this type.

  • Ensure that only the Infoblox NIOS system sending syslog to NetoDNS has network access to the NetoDNS system. This will prevent anyone on the network from injecting syslog messages.

  • Disable the NetoDNS API or restrict access to its listening port to prevent others from reading statistics (see Reading statistics from NetoDNS API)

  • Create an API key configured with only the Send NetoDNS permission in Fusion.

  • Store API credentials in an external vault or secrets management system and pass them in at runtime rather than store them locally. Choose the most secure credential storage approach for your environment.

  • Regularly expire and rotate API keys being used.

Understanding the data

All DNS data and user metadata in the Netography cloud are stored encrypted at rest. The NetoDNS Connector sends the DNS records it collects from your local DNS and sends to the Netography Fusion SaaS. These DNS records contain network meta-data, including the DNS requests being made and the responses being provided.

PreviousReading statistics from NetoDNS API

Last updated