Skip to main content

Overview

DNS security protects zone integrity, prevents unauthorized data exposure, and maintains the chain of trust for DNSSEC-signed zones. This guide covers the key hardening areas for platform administrators.
Administrator Access Required — This operation requires the admin role. Contact your Xloud administrator if you do not have sufficient permissions.

Hardening Guidelines

Restrict zone transfer recipients

Zone transfers expose complete zone data to the recipient. Enforce the principle of least privilege:
  • Create transfer requests only for specific target projects — never use open transfers
  • Set short expiration windows on transfer requests (24 hours maximum)
  • Audit accepted transfers monthly:
    Audit zone transfers
    openstack zone transfer accept list --all-projects
  • Revoke transfer requests immediately after they are no longer needed:
    Delete a transfer request
    openstack zone transfer request delete <transfer-id>
SOA and NS records at the zone apex define authoritative authority. Unauthorized modification redirects queries to attacker-controlled nameservers:
  • Review NS record changes in audit logs after each deployment
  • Restrict zone modification to named service accounts — avoid using personal credentials for automated DNS management
  • Enable API rate limiting to prevent bulk zone modification attacks
  • Separate read-only reporter roles from write-capable automation accounts
DNSSEC signing protects DNS responses from tampering and spoofing. Signing keys are stored in Xloud Key Manager:
  • Store Zone Signing Keys (ZSK) and Key Signing Keys (KSK) as secrets in Key Manager
  • Rotate ZSKs every 90 days; KSKs annually
  • Maintain DS records at the parent zone registrar to complete the chain of trust
  • Test DNSSEC validation after key rotation:
    Validate DNSSEC chain
    dig @<resolver-ip> example.com. A +dnssec
Use Xloud Key Manager’s expiration feature to track ZSK and KSK rotation schedules. Set expiration dates on signing keys and build a rotation workflow triggered before expiry.
All DNS API requests are logged. Configure log forwarding to your centralized logging platform to retain audit records for:
  • Zone creation and deletion events
  • Record set modifications with before/after values
  • Zone transfer requests and acceptances
  • Quota changes and project assignments
Store DNS audit logs in Xloud Object Storage with a minimum 1-year retention policy to satisfy compliance requirements for DNS change auditing.
The DNS API should not be exposed to untrusted networks:
  • Bind the DNS API to the internal management network only
  • Configure firewall rules limiting port 9001 access to authorized hosts
  • Apply HAProxy frontend ACLs to restrict source IPs if the API is load-balanced
  • Enable HTTPS on the DNS API endpoint — never manage zones over plain HTTP

Security Checklist

ControlStatusNotes
Zone transfers target-specificVerify quarterlyCheck openstack zone transfer accept list --all-projects
DNSSEC ZSK rotatedEvery 90 daysStore keys in Key Manager with expiration
DNSSEC KSK rotatedAnnuallyUpdate DS record at registrar after rotation
DNS API over HTTPSAlwaysVerify HAProxy SSL termination config
Audit logs forwardedContinuous1-year minimum retention
API rate limiting enabledPlatform-widePrevent bulk zone modification attacks

Next Steps

Zone Transfers

Manage and audit zone transfer requests

Key Manager

Store and rotate DNSSEC signing keys

Quotas

Enforce per-project DNS resource limits

Admin Troubleshooting

Diagnose security-related DNS service issues