Run antivirus software on linux DNS servers. Does it make sense?

Posted on

Run antivirus software on linux DNS servers. Does it make sense? – Managing your servers can streamline the performance of your team by allowing them to complete complex tasks faster. Plus, it can enable them to detect problems early on before they get out of hand and compromise your business. As a result, the risk of experiencing operational setbacks is drastically lower.

But the only way to make the most of your server management is to perform it correctly. And to help you do so, this article will share nine tips on improving your server management and fix some problem about linux, domain-name-system, bind, anti-virus, pci-dss.

During a recent audit we were requested to install antivirus software on our DNS servers that are running linux (bind9). The servers were not compromised during the penetration testing but this was one of the recommendations given.

  1. Usually linux antivirus software is installed to scan traffic
    destined to users, so what’s the goal to install antivirus on a dns

  2. What is your opinion on the proposal?

  3. Do you actually run antivirus software on your linux servers?

  4. If so, which antivirus software would you recommend or you are
    currently using?

Solution :

One aspect of this is that recommending “anti-virus” to be on everything is a safe bet, for the auditor.

Security audits aren’t entirely about actual technical safety. Often they are also about limiting liability in case of a lawsuit.

Let’s say your company was hacked and a class action lawsuit was filed against you. Your specific liability can be mitigated based on how well you followed industry standards. Let’s say the auditors did not recommend AV on this server, so you don’t install it.

Your defense in this is that you followed the recommendations of a respected auditor and pass the buck so to speak. Incidentally, that’s the PRIMARY reason we use third party auditors. Note that shifting of liability is often written into the contract you sign with auditors: if you don’t follow their recommendations, it’s all on you.

Well, attorneys will then investigate the auditor as a possible co-defendant. In our hypothetical situation the fact that they did not recommend AV on a particular server will be seen as not being thorough. That alone would hurt them in the negotiations even if it had absolutely no bearing on the actual attack.

The only fiscally responsible thing for an auditing company to do is to have a standard recommendation for all servers regardless of actual attack surface. In this case, AV on everything. In other words they recommend a sledge hammer even when a scalpel is technically superior due to legal reasoning.

Does it make technical sense? Generally no as it usually increases risk. Does it makes sense to attorneys, a judge or even a jury? Absolutely, they are not technically competent and incapable of understanding the nuances. Which is why you need to comply.

@ewwhite recommended you speak with the auditor about this. I think that’s the wrong path. Instead you should speak with your company’s attorney to get their opinion on not following these requests.

Sometimes auditors are idiots…

This is uncommon request, though. I would counter the auditors recommendation by securing/limiting access to servers, adding an IDS or file-integrity monitoring or bolstering security elsewhere in your environment. Antivirus doesn’t have any benefit here.


As noted in the comments below, I was involved in the launch of a very high-profile website here in the US, and was responsible for designing the Linux reference architecture for HIPAA compliance.

When the matter of Antivirus came up for discussion, we did recommend ClamAV and an application firewall to process submissions from end-users, but managed to avoid having AV on all systems by implementing compensating controls (3rd-party IDS, session logging, auditd, remote syslog, two-factor auth to the VPN and servers, AIDE file-integrity monitoring, 3rd-party DB encryption, crazy filesystem structures, etc.). These were deemed acceptable by the auditors, and all was approved.

The first thing you need to understand about auditors is they may not know anything about how the technology in scope is used in the real world.

There are a lot of DNS security vulnerabilities and issues that should be addressed in an audit. They will never get to the real issues if they are distracted by bright shiny objects like “antivirus on a DNS server” checkbox.

DNS servers have become popular with PCI auditors this year.

The important thing to recognize is that while DNS servers do not handle sensitive data, they support your environments which do. As such, auditors are starting to flag these devices as “PCI supporting”, similar to NTP servers. Auditors typically apply a different set of requirements to PCI supporting environments than they do the PCI environments themselves.

I would speak to the auditors and ask them to clarify the difference in their requirements between PCI and PCI supporting, just to make sure that this requirement didn’t accidentally sneak in. We did need to make sure that our DNS servers met hardening guidelines similar to the PCI environments, but anti-virus was not one of the requirements we faced.

Leave a Reply

Your email address will not be published. Required fields are marked *