The Fragility of DNS

A recent study conducted by Mazerov Research and Consulting suggests that despite a multitude of costly and elaborate efforts to keep Domain Name Systems (DNS) protected, companies are still suffering from a barrage of denial-of-service, pharming or cache poisoning attacks.

In the past year, Symantecs DeepSight system reports 25 vulnerabilities on various DNS servers and resolvers, 8 of which are server or client denial of service attacks, 8 are buffer overflows, and the remaining are a mix of DNS spoofing and access attacks. DNS is highly reliable but it is not trustworthy and the difference goes unnoticed until there is an attack.

Server vulnerabilities that exploit application flaws can only be fixed by patching, but DNS denial of service attacks and cache poisoning are much more difficult to combat. DNS queries are UDP based and as such are easily spoofed.

Launching a denial of service attack that spoofs the originating IP address against a companies DNS server is pretty easy and there isn't much you can do about it except over-provision your DNS server and work closely with your service provider to mitigate the attack.

Cache poisoning is much more damaging whether your DNS server cache is poisoned, your hosts cache is poisoned, or someone is redirecting your zone to their DNS server. When a host needs to resolve a name to an IP, it asks it's DNS server to do the work.

The DNS server, if it doesn't know the answer, starts to walk down the DNS tree from the root to the authoritative name server. It will accept the first properly formatted response as authoritative and therein lies the problem. Your DNS server, or host, takes what it is told on faith.

Unfortunately, there aren't many good solutions to cache poisoning either. The most promising solution, the IETF's DNS Sec, which is a standard for signing requests using public key cryptography, isn't widely deployed on DNS servers nor on client computers.

While survey respondents may use, on average, 3.5 different solutions to harden their DNS, it's really plug and pray.

print this article

Return to internet news headlines
View Internet News Archive

Share with: