Security Advisor

DNS Security Basics: Part II

Joern shows you two more ways you can keep your DNS safe.

• By Joern Wettern
• 04/01/2007

Don't Get Poisoned
DNS Cache Poisoning is an attack that takes advantage of a flaw in the design or configuration of your DNS server to feed it faulty information. When your DNS server receives a request to resolve a name in a DNS zone that it doesn't hold, it starts a series of queries to other DNS servers to find one that's authoritative for that zone.

Ideally, it should only accept information that it asked for. If your DNS server isn't picky about the answers it receives, though, you face a huge security risk. Someone could set up their DNS server to send you incorrect information about a name that your server didn't even inquire about.

Say your DNS server tries to resolve the name somesite.com. The reply from the authoritative server for somesite.com reveals that somesite.com is an alias entry for yourbank.com (an unlikely, yet perfectly legitimate answer according to the DNS standards). The remote server also supplies the IP address for yourbank.com.

The correct action for your DNS server would be to process the first part of that answer, but to discard the second part. After all, the remote server is not authoritative for the yourbank.com domain. The supplied IP address could host a fake Web site designed to steal your online banking credentials.

DNS cache poisoning occurs when your DNS server doesn't discard that part of the answer. When it caches the non-authoritative reply and uses it to resolve future name resolution requests for yourbank.com, you are at risk.

There are a number of variations on DNS cache poisoning attacks, but the methods for defending yourself are the same for most, and they are very easy. The first thing you can do is to make sure that you apply all relevant patches to your DNS server, as cache poisoning is most often the result of a software flaw.

The second thing you should do is ensure that your DNS Server is configured to only accept authoritative answers. The steps for this depend on your DNS server software, but if you're using a Windows DNS server, you can find instructions in Microsoft KB article 241352 on the Microsoft Web site.

Remain Anonymous
Each DNS zone file should have an entry with the e-mail address of the person responsible for the DNS zone (with a period instead of the @ sign). The purpose of this entry is to help anyone who detects a name resolution problem to contact you.

However, it's best to avoid using an e-mail address that reflects the responsible person's real name. Someone looking for information to help mount a social engineering attack could easily deduce from the e-mail address [email protected] in your DNS data that someone called Joebob Doe works in your IT department and is responsible for network infrastructure.

Fortunately, this is an easy problem to fix. Simply use a generic e-mail address, like [email protected]. Then simply ensure that Joebob Doe has access to the corresponding mailbox. Most DNS software makes it relatively easy to configure setup name resolution.

Despite the increasing popularity of using DNS systems as a means for attack, adequate attention to complete DNS security is still lacking in many networks. Keeping these two fundamentals in mind, plus the two covered here last month, can go a long way toward providing a relatively simple and easy to maintain degree of security for your DNS system.