January 22, 2012

1.4.4 DNS


DNS (Domain Name Server) allows you to use a host name such as www.google.com instead of (or any one of several IP addresses used to reach the Google web site). DNS makes it more convenient to use the Internet.

The Microsoft Outlook mail server may respond when you refer to it as outlook.com, however at its core it wants to be addressed as or whatever its current IP address is. It would be very inconvenient to have to use IP addresses exclusively; DNS was invented to allow the use of the more user-friendly host names.

It provides a distributed and robust mechanism that resolves Internet host names into IP addresses and vice versa. Unfortunately many security weaknesses surround IP and the protocols carried by IP. DNS is not immune to these security weaknesses.

DNS provides a way to know the IP address of any host on the Internet.

DNS attacks can be aimed at the DNS protocol (DNS spoofing, DNS ID hacking, DNS cache poisoning) or the DNS server (software bugs, denial of service).

DNS can be hacked in one of two ways:
  • Protocol-based: attacks based on how DNS actually works
  • Server-based – attacks based on exploiting flaws in the software on the servers running the DNS services.
Here are some specific DNS compromises:
  1. Malicious Cache Poisoning or DNS Spoofing – When a DNS server does not have the answer to a query within its cache, the DNS server can pass the query onto another DNS server on behalf of the client. If the server passes the query onto another DNS server that has intentionally tainted information, then the result is malicious cache poising or DNS spoofing. Cache poisoning relates to an attack consisting of making a DNS server cache false information.
  2. Rogue DNS servers– Unauthorized servers that can intercept DNS queries and provide tainted responses. Rogue DNS servers pose a threat to the Internet community because the information these servers contain may not be trustworthy.
  3. Redirection – When an attacker is able to redirect queries for DNS names to servers under the control of the attacker.
  4. Footprinting – The process by which DNS zone data is obtained by an attacker to provide the attacker with the DNS domain names, computer names, and IP addresses for sensitive network resources.
  5. Denial-of-service attack – When an attacker attempts to deny the availability of network services by flooding one or more DNS servers in the network with recursive queries.
Countermeasures to DNS attacks include keeping up-to-date with system and application patches, implement DNSSEC whenever possible, secure open DNS servers, etc.

DNS visualization and analyzer tools such as: dnsviz.net and dnssec-debugger.verisignlabs.com will attempt to test whether a particular site has deployed DNSSEC.


No comments:

Post a Comment