NIST Unveils Tool To Foil DNS Attacks

Network researchers at the National Institute of Standards and Technology have unveiled a method that federal systems administrators can use to protect their systems from increasingly complex attacks launched via the Domain Name System of the Internet and private IP networks.

DNS has long been a critical function of the Internet and private IP networks, but one that tended to operate somewhat incognito. That may be changing as more complex network attacks targeted at DNS emerge.

In a recently published paper, authors Scott Rose and Anastase Nakassis, writing under the auspices of NIST and the Homeland Security Department's Science and Technology Directorate, contend that DNS security extensions (DNSSEC) originally intended to protect DNS zone data contain an unintended side effect that facilitates an attack precursor called "zone enumeration."

Attackers use DNSSEC responses to determine the Resource Records (RR) in a DNS zone, and then launch attacks more quickly against specific hosts in the zone. The attack potentially gets worse when DNS host names give hints to the content, application or operating system, and consequently the vulnerabilities, that reside on the hosts. Rose and Nakassis added that the security or privacy concerns of intercepting information in newer DNS RRs go beyond an attacker simply identifying the host IP address and name.

The authors state that zone enumeration is possible without the help of DNSSEC. They cautioned that such traditional methods often become impractical because they rely on time-consuming or processor-intensive brute force techniques often thwarted by intrusion detection systems.

The authors also describe several techniques that allow networks to reap the intended authentication and integrity benefits of DNSSEC while "reducing DNS information leakage." These techniques are important because as DNS becomes more and more vital to network operation, the need to protect it with techniques offered by DNSSEC increases.

As federal agencies continue to deploy IPv6 technology, DNS will move from its current critical-but-inconspicuous status to the forefront, the NIST analysts said. The spread of IPv6 will generate a demand for network protection methods that are as secure as they are robust. The enormous IPv6 address size makes memorization impractical and address-to-hostname mapping vital, Internet specialists agree. Address subnet scanning becomes all but impossible in the IPv6 environment. As a result, DNS zone data becomes much more desirable to intercept and decipher as a prelude to launching an attack.

The techniques described by the NIST scientists likely hold forth the promise of improving DNSSEC authentication and integrity protection, so as to shield DNS zones and foil attempts to compromise data.


  • What Money in Excel Means for the Future of Microsoft 365 Apps

    Microsoft's new personal finance tool hints at what's in store for next-generation Office applications, from more third-party integrations to subscription requirements.

  • Microsoft Buys Orions Systems To Enhance Vision AI Capabilities in Dynamics 365

    Microsoft announced on Tuesday that it has acquired Orions Systems with the aim of enhancing Dynamics 365 capabilities, as well as the Microsoft Power Platform.

  • Microsoft Hires Movial To Build Android OS for Microsoft Devices

    Microsoft has hired the Romanian operations of software engineering and design services company Movial to develop an Android-based operating system solution for the Microsoft Devices business segment.

  • Microsoft Ending Workflows for SharePoint 2010 Online Next Month

    Microsoft on Monday gave notice that it will be ending support this year for the "workflows" component of SharePoint 2010 Online, as well as deprecating that component for SharePoint 2013 Online.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.