Hardening DNS Servers: Domain Name Service (DNS) servers resolve hostnames to IP addresses. This service allows a website name such as www.sybex.com to be resolved to an IP address such as 192.168.1.110.
NOTE: A registrar manages your domain name, and most require an annual renewal fee. If these fees are not paid, another company will be able to hijack your domain name. Such hijacking has embarrassed many organizations.
DNS servers can be used internally for private functions and externally for public lookups. Though DNS-related attacks aren’t common, they are generally of three types:
Domain Name Service Denial-of-Service Attacks: Domain Name Service Denial-of-Service (DNS DoS) attacks are primarily aimed at DNS servers.
The intention is to disrupt the operations of the server, thereby making the system unusable. To address these attacks, make sure that your DNS server software and the operating system software are kept up-to-date and that you are using two-factor authentication with your registrar. Doing so will tend to minimize the impact of DNS DoS attacks.
Network Footprinting: Footprinting is the act of gathering data about a network in order to find ways that someone might intruder. When footprint, you are looking for vulnerabilities and any means of entry.
A great deal of information about your network is stored in DNS servers. By using one of the common DNS lookup programs, such as NSLOOKUP, an attacker can learn about your network configuration.
DNS entries typing include information pertaining to domain names and mail, web, commerce, and other key servers in your network.
Keep the amount of information stored about your network in external DNS servers to a bare minimum.
TIP: A good recommendation is to use two DNS servers: one on the internal network and one on the external network.
Compromising Record Integrity: DNS lookup systems usually involve either a primary or a primary and a secondary DNS server.
If you make a change to a primary or secondary server, the change propagates to other trusted DNS servers.
If a bogus record is inserted into a DNS server, the record will point to the location the attacker intends to compromise rather than to a legitimate site.
Imagine the embarrassment to a corporation when its website visitors are redirected to a competitor or, even worse, to a porn site. Make sure that all DNS servers require authentication before updates are made or propagated. Doing so will help ensure that unauthorized records aren’t inserted into your servers.
As DNS was originally designed, it did not include security because it was never thought to be a possible weakness in the network.
Once it was realized that DNS could be exploited, however, the Domain Name System Security Extensions (DNSSEC) were created by the IETF (Internet Engineering Task Force) to add security and maintain backward compatibility.
DNSSEC checks digital signatures and can protect information by digitally signing records. Specifically, DNSSEC was designed to protect against forged DNS data. More information on DNSSEC can be found at www.dnssec.net.
NOTE: DNS poisoning is a problem that existed in early implementations of DNS. It hasn’t been a serious problem for a while, but you should be aware of it for the exam.
With DNS poisoning (also known as cache poisoning), a daemon caches DNS reply packets, which sometimes contain other information (data used to fill the packets).
The extra data can be scanned for information useful in a break-in or man-in-the-middle attack.
A similar attack, Address Resolution Protocol (ARP) poisoning, tries to convince the network that the attacker’s MAC address is the one associated with an IP address so that traffic sent to that IP address is wrongly sent to the attacker’s machine.