User workstations, tablets and phone may be configured to send DNS requests to servers other than the authorized DNS caching name servers (also called resolving, forwarding or recursive name servers). This type of configuration can expose an organization to unneessary security risks and exposures.
Below are some of the best practices to prevent it:
Configure operating systems and applications (including lower-tier DNS servers intended to forward queries to controlled enterprise DNS servers) to use only authorized DNS servers within the enterprise for outbound DNS resolution.
Configure enterprise perimeter network devices to block all outbound User Datagram Protocol (UDP) and Transmission Control Protocol (TCP) traffic to destination port 53, except from specific, authorized DNS servers (including both authoritative and caching/forwarding name servers).
Additionally, filtering inbound destination port 53 TCP and UDP traffic to only allow connections to authorized DNS servers (including both authoritative and caching/forwarding name servers) will provide additional protections.