DNS record updates
Problem statement:
Domain Name Service (DNS) records are registered with an authority in a network to allow hosts to be reached by their names. The records map names to ip addresses that can be resolved in the network. A hierarchy of domain name servers can translate external traffic to network hosts. This enables users to reach web sites and organizational resources from the internet or intranet respectively. When these records are created, they are a new instance and do not affect the existing records. If they are untouched, they resolve to specific hosts that can be reached and do not interfere with security or usages of existing hosts. However, an unintended or hostile update to the record can take down the reachability of critical business resources. This article explores the need for DNS security and the ways to perform updates securely – whether to rely on features specific to a DNS server or streamline and harden the process surrounding the use of DNS servers and associated network.
Solution:
The original DNS protocol for external name servers has the following limitations:
1. Complex management: Manually introduced errors in misconfiguration of name servers occur occasionally due to the complexity of managing them. A syntax error in zone data file might go unnoticed and will render that name server unable to load that zone. This might return either old data or no data. If the syntax error is in the name server’s configuration file, it will prevent the name server from starting.
2. Attack vulnerabilities: If the administrators do not take the simple precaution of configuring their forwarders to process recursive queries only from internal ip addresses, it might lead to cache-poisoning attack where a hacker can induce the name server to cache fabricated data.
This can have significant impact on eCommerce because a hacker could redirect traffic intended to say a bank’s web site to a web server with a replica of the site’s content, and steal account numbers and passwords
3. Difficult upgrades: Upgrading to a new version of the name server is not just a simple software update. It might involve downloading new source code, compiling, testing, installing, and in many cases without an upgrade advisor or migration path. If this task becomes an onus, administrators will tend to put it off. This can have a manifest as delayed impact to businesses.
For example, the LiOn worm had a patch released but months after that, the worm continued to infect nameservers around the internet.
4. Ever growing attack options: One of the biggest challenges for IT organizations is the ever-increasing number of DNS attacks and their types. The attacks that are well-known include: 1) TCP SYN flood attacks where connections are orphaned by flooding DNS Servers with TCP connection requests until the target machine fails, 2) UDP Flood attack where a large number of UDP packets to a random part on a target server causes it to fail, 3) LAND attacks where a spoofed TCP or UDP packet with the target’s host to an open port as both the source and the destination will cause the machine to reply to itself continuously. 4) Cache poisoning attack where legitimate requests are sent to a malicious website and 5) proxy attacks where a machine can penetrate the network and route the legitimate requests to malicious websites.
No comments:
Post a Comment