DNS Security Basics: Part II
Joern shows you two more ways you can keep your DNS safe.
All too often network administrators neglect domain name system (DNS) security,
but it's a relatively easy way to add a level of protection to your security
, we covered the security effectiveness of using a split DNS design
and techniques for safe zone data transfers. Here are two more DNS security
basics you really shouldn't overlook.
Don't Get Poisoned
DNS Cache Poisoning is an attack that takes advantage of a flaw in the design
or configuration of your DNS server to feed it faulty information. When your
DNS server receives a request to resolve a name in a DNS zone that it doesn't
hold, it starts a series of queries to other DNS servers to find one that's
authoritative for that zone.
Ideally, it should only accept information that it asked for. If your DNS server
isn't picky about the answers it receives, though, you face a huge security
risk. Someone could set up their DNS server to send you incorrect information
about a name that your server didn't even inquire about.
Say your DNS server tries to resolve the name somesite.com. The reply from
the authoritative server for somesite.com reveals that somesite.com is an alias
entry for yourbank.com (an unlikely, yet perfectly legitimate answer according
to the DNS standards). The remote server also supplies the IP address for yourbank.com.
The correct action for your DNS server would be to process the first part of
that answer, but to discard the second part. After all, the remote server is
not authoritative for the yourbank.com domain. The supplied IP address could
host a fake Web site designed to steal your online banking credentials.
DNS cache poisoning occurs when your DNS server doesn't discard that part of
the answer. When it caches the non-authoritative reply and uses it to resolve
future name resolution requests for yourbank.com, you are at risk.
There are a number of variations on DNS cache poisoning attacks, but the methods
for defending yourself are the same for most, and they are very easy. The first
thing you can do is to make sure that you apply all relevant patches to your
DNS server, as cache poisoning is most often the result of a software flaw.
The second thing you should do is ensure that your DNS Server is configured
to only accept authoritative answers. The steps for this depend on your DNS
server software, but if you're using a Windows DNS server, you can find instructions
in Microsoft KB article 241352
on the Microsoft Web site.
Each DNS zone file should have an entry with the e-mail address of the person
responsible for the DNS zone (with a period instead of the @ sign). The purpose
of this entry is to help anyone who detects a name resolution problem to contact
However, it's best to avoid using an e-mail address that reflects the responsible
person's real name. Someone looking for information to help mount a social engineering
attack could easily deduce from the e-mail address firstname.lastname@example.org
in your DNS data that someone called Joebob Doe works in your IT department
and is responsible for network infrastructure.
Fortunately, this is an easy problem to fix. Simply use a generic e-mail address,
like email@example.com. Then simply ensure that Joebob Doe has access
to the corresponding mailbox. Most DNS software makes it relatively easy to
configure setup name resolution.
Despite the increasing popularity of using DNS systems as a means for attack,
adequate attention to complete DNS security is still lacking in many networks.
Keeping these two fundamentals in mind, plus the two covered here last month,
can go a long way toward providing a relatively simple and easy to maintain
degree of security for your DNS system.
Joern Wettern, Ph.D., MCSE, MCT, Security+, is the owner of Wettern Network Solutions, a consulting and training firm. He has written books and developed training courses on a number of networking and security topics. In addition to helping
companies implement network security solutions, he regularly teaches seminars and speaks at conferences worldwide.