One place for hosting & domains

      Server

      DNS Server Not Responding Error? Here’s How To Fix It (13 Ways)

      Unlike many problems that affect websites, the DNS Server Not Responding error seems pretty descriptive. Clearly, some distant server isn’t playing ball and it’s blocking you from visiting a particular website.

      But what exactly is a DNS server and why is it misbehaving? In a strange way, the information provided by the error message is only useful if you already know what it means.

      To help you resolve this issue, we decided to take a deeper look at the DNS Server Not Responding error, and all the possible causes. Keep reading to find the answers you’re looking for!

      What Does The “DNS Server Not Responding” Error Mean?

      To understand this error, we first need to take a quick look at DNS, or domain name system.

      DreamHost Glossary

      DNS

      The Domain Name System (DNS) protocol keeps records of which domain names correspond to specific IP addresses. DNS enables you to browse the web by typing in regular URLs instead of IP addresses.

      Read More

      Whenever you ask your browser to connect to a website, a DNS server has to convert the domain name (e.g., mysite.com) to the numeric IP address (four numbers separated by three periods, for example, 127.0.0.1) of the hosting server. This is where the site actually lives; the domain name is simply a pretty title that is easier for humans to remember.

      DNS Server Not Responding error occurs when, for some reason, your browser can’t make contact with the server that handles the domain name to IP address translation.

      There are three underlying reasons why this could be happening:

      • The DNS server is down or unreachable: There is something wrong with the server itself, or its network connection.
      • You have connectivity issues: Often due to an outage somewhere between you and the server, including network issues.
      • The DNS record for the domain name is incorrect or missing: This means the DNS server doesn’t know which IP address to point the domain name to.

      3 possible issues with DNS server not responding error: DNS server is down, connectivity issues, DNA record error or missing

      In order to fix the error, we need to work through a checklist that covers all three possible causes.

      Fixing The DNS Server Not Responding Error

      If the DNS Server Not Responding error appears only on your site, it might be because your domain name isn’t configured correctly.

      • Make sure your domain name hasn’t expired.
      • Check that you have an “A record” and it contains no typos.
      • If you made changes recently, give them time to propagate.

      If none of this helps, or you see the error on other websites, here are all the ways you can fix a DNS Server Not Responding error:

      1. Try Using A Different Browser

      Strictly speaking, switching to another browser won’t fix DNS issues. But it can reveal what has gone wrong.

      Every browser maintains a cache, where content is stored temporarily for quick access. The problem is that your browser cache might have stored the wrong DNS records. If this happens, you will get the same error message whenever you try to revisit the same page.

      DreamHost Glossary

      Cache

      A cache is a temporary data storage layer that is designed to improve data access speeds by reducing the time needed to read and write data from a permanent data storage location.

      Read More

      By moving away from your default browser, you will be using a different cache, and each browser has its own default DNS servers. In addition, you will bypass other issues like extensions that block connections.

      2. Check The Site From A Different Device

      If you’re still seeing an error on a particular website after changing your browser, try swapping to a different device. This will ensure that some other unexpected issue in your local system isn’t causing the problem.

      If you don’t have access to another desktop computer, simply pull out your phone and try to visit the page in question. If this doesn’t fix the error, it’s also worth connecting to a different network or switching to data.

      3. Restart Your Computer

      Another way to deal with cache-related problems is by restarting your device. This will flush all DNS records from your machine, so your device will have to perform a live DNS lookup when you visit the problematic page.

      Restarting your device also renews its IP address and clears the DNS request queue, which can be enough to fix certain connectivity issues. It could be enough to clear the error.

      Get Content Delivered Straight to Your Inbox

      Subscribe to our blog and receive great content just like this delivered straight to your inbox.

      4. Restart Your Computer In Safe Mode

      Sometimes, software and related drivers on your device are the cause for the blocked DNS connections. To test for this issue, it’s a good idea to boot up your device in Safe Mode:

      Windows:

      1. On the sign-in screen, click Restart while holding Shift.
      2. Select Troubleshoot > Advanced options > Startup Settings > Restart.
      3. After restart, press 5 or F5 to start up your device in safe mode with networking.

      screenshot of the startup settings in windows highlighting the restart button in the lower right-hand corner

      Mac: Hold Shift as you power up.

      screenshot of a mac starting up in safe mode

      iOS / Android: Press and hold the power button, and then tap the down volume control after the screen lights up.

      screenshot of a ios mobile phone power selector settings highlighting the safe mode option

      In this mode, your machine will revert to default settings and only the most essential drivers. If the problem sites load normally while in Safe Mode, it means that either third-party software or drivers are causing incompatibility issues.

      This is definitely bad news, because the only way to track down the precise cause is by testing your apps, one by one. That said, it’s most likely to be something like a VPN, or security software causing your headaches.

      5. Turn Off Antivirus Software And/Or Your Firewall

      Antivirus applications and firewalls protect your device by monitoring traffic. From time to time, these tools sometimes meddle too much with your internet connection and end up causing DNS server errors.

      As such, it’s a good idea to switch off your antivirus program and/or firewall protection temporarily, to test whether they are causing the problems.

      If this resolves the problem, make sure to turn your protection back on. Then, look through the settings to find anything related to DNS that may be causing your troubles. If your chosen software package includes support, it may be worth reaching out to your provider for help.

      6. Turn Off Your VPN

      VPNs, or virtual private networks, provide an extra layer of online privacy by routing data to your device through an encrypted tunnel. So far, so useful. The issue is, the tunnel might be bypassing your default DNS servers.

      To test this idea, switch off your VPN and try to visit the page where you had the DNS server issue. If this resolves your problems, restart the VPN and take a peek at the settings. You’re looking for controls related to DNS filtering. If you need a helping hand, try contacting your VPN provider for support.

      7. Flush DNS Cache

      You don’t necessarily need to restart your device to flush the DNS cache. You can do it manually instead:

      1. Press Win + R and type in the “ipconfig /flushdns”.
      2. Then, hit Ctrl + Shift + Enter to run the command prompt.
      1. Open the Terminal, and type in “sudo dscacheutil -flushcache; sudo killall -HUP mDNSResponder”.
      2. Press Enter.
      3. Input your admin password when prompted, and press the Enter button again.
      • iOS: Turn Airplane Mode on and back off again.
      • Android
      1. In Chrome, type “chrome://net-internals/#dns” into the search box.
      2. Select DNS on the left, and then tap Clear host cache

      By flushing your DNS cache, you will force your device to re-query the DNS server for each site you visit. This ensures you have updated mappings of domain names to IP addresses — an essential first step in network diagnostics.

      8. Restart Your Router

      Network connection issues are a common cause of DNS server errors. One easy way to fix this kind of problem is by restarting your internet router.

      Switch it off and unplug the power cable for around 30 seconds. This should clear any corrupted DNS entries that have been stored in the router cache, and renew your connection.

      At the same time, it’s worth checking that your router’s firmware is up to date. Outdated firmware can cause connectivity issues that prevent DNS lookups. In combination, these steps might fix your problem.

      9. Disable IPv6

      Internet protocol is the system that creates a unique IP address for every device on the internet. The current version is IPv6 (Internet Protocol Version 6), which has gradually replaced IPv4 over the past few years. It is now the default option.

      However, not every network and DNS server has been updated to IPv6.

      If you use this version to request a particular web page, you might only receive a DNS Server Not Responding error. Similarly, systems that are in hybrid mode can experience technical troubles in juggling both systems.

      For this reason, it’s worth temporarily switching off IPv6 to see whether you can access a website via IPv4.

      The exact process depends on your platform, but it usually involves:

      1. Visiting the network settings on your device.
      2. Selecting your active connection (usually Ethernet or Wi-Fi).
      3. Accessing the advanced options via Advanced, Properties, or i.
      4. Toggling IPv6 off, and saving your changes.

      screenshot of windows DNS settings options to toggle IPv4 and IPv6 on and off

      Lastly, you will need to restart your device to test whether this potential solution has worked. If you see no improvement, reverse the process to switch IPv6 back on — this can help you to maintain better performance as you move between different networks.

      10. Change The Default DNS Server

      Normally speaking, your device connects to a DNS server provided by your ISP (Internet Service Provider). If you’re having DNS issues, it might be because this server is misbehaving. The solution here is to switch to a different server.

      Organizations like Google and Cloudflare provide public DNS servers that anyone can use. Some people prefer using these servers because they can speed up page loading. In other cases, people use an alternative DNS server for privacy reasons.

      Some of the most popular alternate DNS providers include:

      • Google: 8.8.8.8 and 8.8.4.4
      • Cloudflare: 1.1.1.1 and 1.0.0.1
      • OpenDNS: 208.67.222.222 and 208.67.220.220

      Here’s how to switch your DNS server address.

      Windows:

      1. Navigate to Control Panel > Network Connections > Properties. 
      2. Under Preferred DNS server, enter the IP address of your preferred DNS server.
      3. Under Alternate DNS Server, put in the address of your backup server, and save your changes.

      screenshot of windows IPv6 properties calling attention to the use the following DNS server addresses text boxes

      Mac:

      1. Navigate to System Preferences > Network and select your primary internet connection in the sidebar.
      2. Click Details (or Advanced on older Macs) then select DNS.
      3. At the bottom of the DNS servers list, click the + button and enter your new DNS address.
      4. Make sure to click Apply before leaving the Network screen.

      screenshot of windows IPv6 properties calling attention to the use the following DNS server addresses text boxes

      iOS Mobile

      1. Navigate to Wi-Fi settings (they might be under Network & Internet)
      2. Find the DNS settings…
      3. On iOS, tap the i icon, then Configure DNS.
      4. Select Manual < Add server to update DNS.

      screenshot of an ios mobile phone configure DNS settings screen

      Android Mobile

      1. On Android, open Settings > Connections > More connection settings.
      2. Tap on “Private DNS” and choose “Private DNS provider hostname to change the DNS server.

      screenshot of an android private DNS setting screen

      Once you have finished changing your DNS server settings, restart your device before trying to access the internet. This will ensure that the new DNS settings are adopted, giving you a chance of beating those pesky errors!

      11. Update Network Adapter Drivers

      A network adapter driver is a piece of software that allows an operating system to communicate with a network adapter. This is the small card in your device that handles internet connections.

      If the driver software isn’t regularly updated, it can start to create problems. Likewise, a driver that is corrupted, or incompatible with a new network adapter, is likely to create headaches.

      One possible symptom is — you guessed it — the kind of DNS error we’re trying to fix.

      Many devices update their network drivers automatically; macOS handles this chore behind the scenes. On Windows, you can take control of the adapter settings yourself:

      1. Visit Device Manager.
      2. Right-click Network Adapter.
      3. Select Update Drivers from the drop-down menu.

      If possible, it’s a good idea to connect to the internet via an Ethernet cable when updating your drivers. The reason is simple: you’re updating the piece of hardware you need in order to download the update. Interruptions due to poor Wi-Fi signal can mess up the process.

      Once you have updated your drivers successfully, restart your device and see if DNS is working properly.

      12. Disable Secondary Connections

      Some devices have more than one network adapter. For example, wired and wireless connections use different adapters.

      In most cases, you only need to use one adapter at a time. Switching off all secondary connections is a good idea because they can cause problems with DNS requests.

      To do this, visit the network settings on your device and turn off all live connections other than the one you’re using (e.g., If you’re connected via Wi-Fi, disable the Ethernet connection.)

      It’s also worth checking whether you have a virtual network adapter running. This is a digital service that allows multiple connections via the same physical adapter. It’s a feature used by VPNs, allowing you to tunnel some traffic through the private network, and some through a regular internet connection.

      To make sure a misbehaving virtual network adapter isn’t causing your problems:

      1. Open Control Panel > Network Connections.
      2. Right-click on the virtual adapter you want to switch off, and select Disable.
      3. Confirm you want to disable the adapter. This will take it offline.
      1. Open System Preferences > Network.
      2. Select the virtual adapter in the left sidebar, and click the gear icon.
      3. Select Make Service Inactive to disable the adapter.
      1. Find the VPN settings on your device.
      2. Tap the i or gear icon.
      3. Switch off the adapter.

      Once again, try to reload the malfunctioning page to see if the DNS error message has cleared.

      13. Disable Peer-To-Peer Feature (Windows)

      No luck? Don’t worry, there is one more potential fix you can try.

      Windows has a peer-to-peer feature, which helps to reduce the amount of bandwidth needed while downloading updates. Rather than forcing your device to swallow all the data in one big lump, this option splits updates into individual pieces. The PC that receives these pieces can then share them with others on the same network.

      This is obviously a useful feature. But as you might have guessed already, Windows P2P can interfere with the DNS lookup process. Switching it off can help you to diagnose errors:

      1. Navigate to Settings > Windows Update.
      2. Next, click on Advanced Options > Delivery Optimization.
      3. Toggle the switch labeled Allow downloads from other PCs.

      screenshot of the windows delivery optimization settings screen found under windows update where you can toggle allow downloads from other PCs on and off

      You will then need to restart your computer to test, once again, whether the DNS error has cleared. Fingers crossed!

      Frequently Asked Questions

      Still have questions? You’ve come to the right place. Here’s a little extra detail on fixing your DNS settings, and a closer look at why failures happen:

      How Do You Reset Your DNS Server?

      After following the various troubleshooting steps above, you may decide that you want to go back to the domain name servers you originally had.

      To achieve this, simply retrace the exact steps mentioned in #10 — but this time, select your current DNS servers and press the little minus button to remove them. After a restart, your device should then revert to the default ISP DNS servers.

      What Causes A DNS Failure?

      In simple terms, a DNS failure happens when your browser cannot convert a domain name to an IP address. However, there can be many different underlying causes.

      The DNS process offers access to over 1 billion internet hosts. That’s one mighty “phone book.” So, it’s almost inevitable that the system will have some flaws.

      Most DNS problems that people encounter are caused by issues with internet access or software on their device. Actual failures are most commonly caused by server outages or incorrectly configured domain names.

      Set Up Your Site Correctly With DreamHost

      If you want to avoid seeing DNS errors pop up on your website, you might want to switch to DreamHost.

      Our hosting panel makes it really easy to configure your site correctly and manage all your domain names on a single page. If you ever get stuck, our Technical Support team is available 24/7 to provide help — and that’s on every single plan.

      Sounds good? Sign up today to give it a try for yourself!

      Get Content Delivered Straight to Your Inbox

      Subscribe to our blog and receive great content just like this delivered straight to your inbox.

      SQL Server Security Best Practices, Part 2


      This guide is the second in a series of articles that covers SQL Server security best practices.
      Part 1 of this series discussed a SQL Server installation’s physical security, operating system security, and application maintenance. Additionally, the previous guide outlined how to disable unnecessary features, enable encryption, and implement data masking.

      The second part of this series describes how and why you should:

      SQL Server Authentication

      Protection of data stored with SQL Server depends upon the ability to authenticate access to specific sets of data. SQL Server provides two options for database authentication in a Windows or Linux environment:

      You are prompted to select one of these SQL Server authentication modes during SQL Server setup.

      Note

      You can change the SQL Server authentication mode even after the initial installation decision has been made.

      Windows or Linux Authentication Mode

      In this mode, an installer logs into SQL Server using their Windows or Linux account. SQL Server validates the account name and password via the Windows or Linux operating system. SQL Server does not prompt for a password and does not perform the validation.

      Windows or Linux authentication uses Active Directory (AD) accounts. As a result, you can have centralized policy control for authentication. Policies can govern password strength and complexity, password expiration, account lockout, and active directory groups in the active directory.

      Windows or Linux-based authentication is the default authentication mode and is much more secure than
      SQL Server Authentication (discussed in the next section). Windows or Linux Authentication uses the Kerberos security protocol to support the above-mentioned security features. A connection made using Windows or Linux Authentication is sometimes called a trusted connection because SQL Server trusts the credentials provided by the underlying Windows or Linux operating system.

      SQL Server and Windows/Linux Authentication Mode (Mixed-Mode)

      When using SQL Server Authentication, logins are created in SQL Server and are not based on Windows or Linux user accounts. Both the username and the password are created
      by SQL Server and are stored within SQL Server. Users connecting using SQL Server Authentication must provide their credentials (username and password) every time that they connect to SQL Server.

      This mode does not use the Windows or Linux Kerberos security protocol, and it is considered to be inferior to
      Windows or Linux Authentication mode.

      System Administrator (SA) Account

      If you are using
      SQL Server (mixed-mode) authentication, SQL Server automatically creates a System Administrator (SA) user login with sysadmin privileges and permissions. To increase the security of your SQL Server, you should perform the following:

      1. Rename the SA login account to a different, more obscure, name.
      2. Disable the account entirely, if you do not plan on using it.
      3. For the SA (or renamed) account, select a complex password, consisting of lower/upper case letters, numbers, and punctuation symbols.
      4. Do not allow applications to use the SA (or equivalently renamed) account in any of the application connection strings.

      Note

      Any other user-based (lower-privileged) SQL Server accounts should also use complex, unique passwords.

      High-Privileged Operating System Accounts

      SQL Server uses a Windows or Linux account to run its services. Typically one should not assign high-privileged, built-in accounts (or equivalents) such as Network Service or Local System to the various SQL Server services. This can increase the risk of nefarious database/server activity, should someone be able to log into these types of accounts.

      Only assign the appropriate level of security-required accounts to SQL Server services. If not needed, any high-privileged operating system accounts on the server housing the SQL Server should be disabled as appropriate.

      Restrict SQL Traffic

      Database servers typically have one or more servers connecting to them. Access to these servers must be allowed only to and from designated IP addresses. Doing this can potentially prevent a nefarious user from accessing the server. In certain cases, a user of SQL Server may need to connect directly to the database. Restricting those SQL connections to the specific IP addresses (or at least IP class block or segment) that require it should be implemented.

      These IP restrictions can be managed with different solutions on different platforms:

      SQL Server Patches (Service Packs)

      Microsoft regularly releases SQL Server service packs and/or cumulative packs for fixing known issues, bugs, and security issues. It is highly advisable to apply SQL Server patching on production instances of SQL Server. However, before applying a security patch to production systems, it is advisable to apply these patches in a test environment. This is done to validate the changes in the patch and ensure that your database operates as expected under the patch.

      Backups

      When dealing with production instances of SQL Server, it is important to regularly backup the server’s databases. A database backup creates a copy of the operational state, architecture, and stored data of a database. Backups help guard against potential database failures. These failures can happen because of corruption, disk array failure, power outages, disasters, and other scenarios.

      Backups can also assist with non-failure scenarios where a rollback of your database to a particular date may be necessary. Full database backups (on a regularly scheduled basis) and incremental backups (on a daily or running time basis) should be performed and maintained.

      Securing your backups is critical, and database professionals sometimes do not consider all of the requirements for securing database backups. This work includes:

      • Restriction of access to backup files. Do not provide all people in your organization the access rights (create, view, modify, and delete) to backup files.

      • Encrypting backup files properly.

      • Storing backups in an off-site facility. Depending on the organization and the critical nature of the database data, backups of a certain age should be preserved and archived.

      Auditing

      Auditing is another key component of SQL Server security. A designated database administrator or database security team should regularly review SQL Server auditing logs for failed logins.

      SQL Server provides a default login audit mechanism for reviewing all of the login accounts. These audit facilities record incoming requests by username and client IP address. Login failures can assist in discovering and eliminating suspicious database activity. The following types of activity can show up in the SQL Server audit logs:

      • Extended Events: Extended Events is a lightweight performance monitoring system that enables users to collect data needed to monitor and troubleshoot problems in SQL Server.

      • SQL Trace: SQL Trace is SQL Server’s built-in utility that monitors and records SQL Server database activity. This utility can display server activity, create filters that focus on the actions of users, applications, or workstations, and can filter at the SQL command level.

      • Change Data Capture: Change Data Capture (CDC) uses a SQL Server agent to record insert, update, and delete activity that applies to a specific table.

      • Triggers: Application-based SQL Server Triggers can be written specifically to populate a user-defined audit table to store changes to existing records in specific tables.

      • SQL Server-Level Audit Specifications: A Server Audit Specification defines which Audit Action Groups can be audited for the entire server (or instance). Some audit action groups consist of server-level actions such as the creation of a table or modification of a server role. These are only applicable to the server itself.

      Hardware and/or software firewall logs (that is, external to SQL Server) should be regularly examined to monitor and detect any nefarious attempts at server penetration.

      Conclusion

      In part two of this article series, you reviewed additional methods of enhancing the security of SQL Server databases. These included choosing an
      authentication mode, restricting the
      System Administrator account, assignment of
      security-friendly accounts to SQL Server,
      restricting SQL traffic, application of
      patch updates,
      backup strategies, and use of
      auditing. To review earlier security recommendations, revisit
      Part 1: SQL Server Security Best Practices.



      Source link

      SQL Server Security Best Practices


      SQL Server security is perhaps one of the most overlooked facets of database server maintenance. Without taking the necessary precautions, an instance of SQL Server can be ripe for abuse and failure.

      The
      SQL Database Security: User Management
      guide discussed the logical implementation of users, groups, roles, and permissions, to enhance, or limit database user security. The part one of the SQL Security Best Practices guide discusses a variety of important additional maintenance security topics.

      SQL Server Security: Infrastructure

      A very big part of SQL Server security is the physical security associated with the location of the SQL Server database. For SQL Server physical security, you consider things such as the safety and access of the data center, and other physical aspects associated with the server that the database resides on. For example, data center access can be controlled by things like human guards, keys, smart card access, face recognition software, and fingerprint readers.

      Data centers not only need to protect the servers where SQL Server resides, but other pieces of infrastructure. It may include things like modems, hubs, routers, storage arrays, and physical firewall devices. Physical security requires dealing with hardware devices, software (firewalls, operating systems, layered products), and network infrastructure, and keeping them at arms-length from humans, hackers, and any potential natural disasters (floods, hurricanes, power outages, etc).

      A person in charge of physical security must deal with things such as 24×7 security guards, climate control monitoring (extreme hot or extreme cold can affect equipment adversely), fire detection and suppression systems, water leakage detection mechanisms, ensuring that necessary equipment is plugged into Uninterruptible Power Supply (UPS), and the scheduling of both hardware and software preventative maintenance.

      One advantage to hosting a SQL Server in the cloud is that the cloud infrastructure provider is responsible for the physical security of the server hardware.

      SQL Server Security: Operating System and Applications

      Next on the list of security issues is the operating system that SQL Server resides on. SQL Server supports both Microsoft Windows and several flavors of Linux. There are many precautions that you must take to protect your operating system from hackers, viruses, and bugs. This could otherwise affect the functioning, access to, and integrity of SQL Server.

      First and foremost, operating system upgrades and (security) patches should always be applied whenever they become available. Before applying them to production-level machines, it may be prudent to apply them first to test or development environments, and allow them to run for a period of time. This ensures that the upgrades and patches are stable and are not problematic. Moreover, when an operating system goes end-of-life, it should always be replaced with a supported operating system version.

      It is a good practice to disable public internet access on your servers, to mitigate outside hacking interference. This can be followed by implementing robust firewalls on your operating system. By defining the appropriate firewall rules, you can restrict access to and from database servers that run on your server. You can also limit database access only to specific applications. Some popular firewall options for Linux servers are
      UFW
      ,
      nftables
      , and
      FirewallD
      . You can also
      add the free Linode Cloud Firewalls service
      to the Linode Compute Instance that hosts SQL Server.

      Additionally, it is extremely good practice to remove unnecessary and unused applications from your server. This includes unwanted operating system features (for example, email or FTP) that could potentially lend itself to a security threat.

      Finally, you can make use of SQL Server’s
      Extended Protection for Authentication
      option to prevent an authentication relay attack that exploits service and channel binding.

      By default, SQL Server’s Extended Protection is turned off. You can enable it on a Windows-based client that is connected to the SQL Server by following the steps below:

      1. Select All Programs.
      2. Select Microsoft SQL Server 200X.
      3. Select Configuration Tools and select SQL Server Configuration Tools.
      4. Select SQL Server Configuration Manager.
      5. Click SQL Server Network Configuration and right-click on Protocols for MYSQLServer.
      6. Go to Advanced and from the Extended protection, select Allowed.

      By default, SQL Server’s Extended Protection is turned off. You can enable it on a …

      Securing Server Ports

      Another important security measure is to close all unnecessary server ports via your firewall, and open up select ports, as necessary. For example, by default, SQL Server runs on port 1433. Therefore, you can allow TCP port 1433 (and 3389 for remote server access) if no other application runs on the server. Similarly, the
      Microsoft Analysis Service
      uses default port 2383 as a standard port. You should also audit any ports that are used by your development stack and make sure that only the necessary ports are enabled.

      You may also consider changing SQL Server’s default listening port (1433) to another port number. By not changing it, this well-documented port number can be an invitation to hackers to infiltrate a SQL Server instance. For this reason, use a non-default port to solidify your SQL Server security. You can modify this very easily using the
      SQL Server Configuration Manager
      tool.

      SQL Server Add-on Features

      SQL Server consists of database engine features that may not be needed by every installation. Some of these components can be a potential target used by hackers to gain access to a SQL Server instance. Therefore, it is good common practice to disable the add-on components and features in SQL Server that are not used. This limits the chances of any potential hacker attack. Some of the features you may consider disabling are the following:

      • OLE Automation Procedures: they enable SQL Server to leverage
        Object Linking and Embedding (OLE)
        to interact with other
        Component Object Model (COM)
        objects. From the data security standpoint, this area is more prone to attack.

      • Database Mail XPs: enables the Database Mail extended stored procedures in the MSDB database.

      • Scan for startup procs: an option to scan for automatic execution of stored procedures at Microsoft SQL Server startup time.

      • Common language runtime (CLR) integration feature: provides various functions and services required for program execution, including just-in-time (JIT) compilation, allocating and managing memory, enforcing type safety, exception handling, thread management, and security.

      • Windows (not Linux) process spawned by xp_cmdshell: Has the same security rights as the SQL Server service account, and spawns a Windows command shell and passes in a string for execution. Any output is returned as rows of text.

      • Cross-database Ownership Chaining (also known as cross-database chaining): A security feature of SQL Server that allows users of databases access to other databases besides the one they are currently using. Again, if you do not need a particular SQL Server feature, you can disable it.

      SQL Server Encryption

      A huge area of security for SQL Server is encryption. SQL Server supports several different encryption mechanisms to protect sensitive data in a database. The different encryption options available are as follows:

      • Always Encrypted Option – The Always Encrypted option helps to encrypt sensitive data inside client applications. The always encrypted-enabled driver automatically encrypts and decrypts sensitive data in the client applications. The encryption keys are never revealed to the SQL Server database engine. It does an excellent job of protecting confidential data.

      • Transparent Data Encryption (TDE) – TDE offers encryption at the file level. TDE solves the problem of protecting data at rest, and encrypting databases both on the hard drive and consequently on backup media. It does not protect data in transit or data in use. It helps to secure the data files, log files, and backup files.

      • Column-Level Encryption – Column-level encryption helps to encrypt specific column data; for example, credit card numbers, bank account numbers, and social security numbers.

      Data Masking

      Data masking is a technique used to create a version of data that looks structurally similar to the original, but hides (masks) sensitive information. The version with the masked information can then be used for a variety of purposes, such as offline reporting, user training, or software testing.

      Specifically, there are two types of data masking supported by SQL Server:

      • Static Data Masking – Static Data Masking is designed to help organizations create a sanitized copy of their databases where all sensitive information has been altered in a way that makes the copy shareable with non-production users. With Static Data Masking, the user configures how masking operates for each column selected inside the database. Static Data Masking then replaces data in the database copy with new, masked data generated according to that configuration. Original data cannot be unmasked from the masked copy. Static Data Masking performs an irreversible operation.

      • Dynamic Data Masking – Dynamic data masking helps to limit sensitive data exposure to non-privileged users. It can be used to greatly simplify the design and coding of security in your application. Dynamic data masking helps prevent unauthorized access to sensitive data by enabling customers to specify how much sensitive data to reveal with minimal impact on the application layer.

      Conclusion

      Database security is an extremely important part of database design, operations, and maintenance. It includes things such as physical security, operating system and application maintenance, disabling of superfluous features, port maintenance, encryption, and data masking. Collectively, and if addressed properly, these measures help keep a SQL Server database free from attack,operationally sound, and ensure database integrity.



      Source link