DNS Security Issues and Solutions
Domain Name System security increasingly attracts the attention of businesses and governments as advanced cyber attacks threaten to exploit its weaknesses. Technologies that have traditionally lacked authentication and integrity checks underlie the global system used to translate IP addresses into host names and makes it a prime target for hackers and terrorists hoping to disrupt the internet-dependent world. DNS security now ranks as a major concern for website owners in practically every industry and market. Current efforts to improve the system focus on the following threats.
DNS servers that fail to properly resolve requests forward unsuccessful queries to other servers for processing. Attackers can place a misconfigured DNS server online to intercept requests and respond to them with spoofed information. As a result, internet users can unexpectedly arrive at malicious websites that can steal information or spread malware. After successfully routing a DNS request, a rogue server’s information can become part of the DNS cache and send a steady stream of traffic to the wrong destination. Effective dns security should prevent the occurrence of such cache poisoning.
A flooding attack sends thousands of DNS responses to a client after making a valid request. The responses leverage weak authentication to appear to originate from a valid server and can trick client applications into loading an undesired website. DNS security efforts attempt to strengthen authentication protocols to minimize or reduce the threat posed by DNS flooding.
Weak access control inherent to DNS Dynamic Update protocols makes the update system vulnerable to spoofing and denial of service (DoS) attacks. Hackers potentially can also use dynamic DNS updates to alter IP address information to maliciously redirect client requests. Attacks can also delete records from DNS servers, making some websites inaccessible.
Transfers between DNS zones can expose sensitive information about the internal networks that originate DNS requests. Project names, for example, as well as operating system information can leak during zone transfers, giving hackers information that can direct their attacks against particular networks and machines. DNS security countermeasures often depend on properly configuring DNS servers to minimize leakage.
DNS security addresses threats by authenticating transactions and requests while verifying the origin of data. Encrypted responses harden the DNS from malicious threats and improve its integrity. The development of a public key distribution service gives IT personnel the ability to authenticate DNS names to eliminate spoofing and other threats. Additionally, the emergence of security-aware DNS servers and clients promises to deliver a high level of security that prevents some of the most common attacks.