Saturday, March 08, 2008

DNS Security Issues (Misconfigurations)

DNS fall with security issues in a relation to:

Service/traffic redirection:

DNS requests(traffic) to any site, could be redirected to an IP address of a malicious attacker’s site using man in the middle attack or any other type of attacks.
As a user, you should verify the authenticity through cryptographic signature hashes even with trusted sites.
Similarly, name servers with MX records can be modified to redirect
e-mail from one domain to another.

Denial of service:

Instead of redirecting records elsewhere, they can be redirected to
or any another address range that does not exist which may deny legitimate target from being reached.

Zone transfers:

Domain record exchanges such as updating information across name servers can reconfigure packet routing across a network.

Past versions of name servers had no security, and anyone with access to programs like nslookup and dig were capable of issuing them.

DNS zone transfers should only be allowed between DNS servers and clients that actually need it.
DNS master is only transmitting zone information to (and only to) the IP addresses of slave-1/2..etc DNS servers, slave should not transmit to anyone in most configurations.

Also protection with zone transfers can be obtained by implementing DNS keys and even encrypted DNS payloads.

Else than that Instead of limiting transfers purely based on IP address, sites can maintain cryptographic signatures or relies on public key cryptography as in DNS security extensions (DNSSEC)

Predictable query IDs:

A query ID is included within a packet to uniquely identify sessions, such a query within a request is a security issue that allows an attacker to poison domain name server caches with forged address resolution information, a way to reduce the breadth of this attack random query IDs is used.

Secure How-To: Not only

-Using complete physical separation of internal recursive queries and external public name service to prevent DNS cache poisoning.
-Also securing dns could be by redundancy and load balancing which in turn requires that networks house more than one DNS server.

No comments: