Networking / Beginners

Defining Trusted Replies

DNS servers normally provide no notion of trust. A DNS client cannot determine whether a reply is valid. The DNS Security Extensions (DNSSEC-http://www. dnssec.net/) provide signatures for authenticating information and digitally signs every response. However, DNSSEC requires authentication keys to be distributed prior to use. If the keys are not shared prior to the lookup, then the client has no means to validate the authentication. In addition, DNSSEC does not prevent domain hijacking-a server that supports DNSSEC can sign results for a domain that it is impersonating. DNSSEC only authenticates the server, not the content.

More common than DNSSEC, companies usually mange two DNS servers: one in the LAN and one in the WAN. The LAN server provides DNS support to all internal hosts. This prevents an external hijacker from compromising DNS queries that stay within the local network. The WAN DNS server provides information to external hosts and remains vulnerable.

Alternate Resolution Methods

There are other domain name resolution methods besides DNS. These include static files (e.g., /etc/hosts), LDAP, and NIS. Although alternate solutions work well within local networks, only DNS is widely supported between external networks.

For critical systems, DNS should not be used as a trusted information source. Instead, network addresses should be stored in local host files or resolved through trusted naming services. When authentication is required, other network protocols should perform security checks. For example, DNS may resolve a hostname to a network address, but IPv6, IPsec, SSH, SSL, or Kerberos should authenticate the resolved host.

Note Many secure protocols perform authentication through a third-party host. In this situation, the authentication authority should not be identified through DNS. If the authenticating authority is identified using DNS, then an attacker can change the DNS entry for the authenticator. This can make it possible for the attacker to authenticate his own server.

[Previous] [Contents]

In this tutorial:

  1. Domain Name System (DNS)
  2. DNS Common Uses
  3. Hostname-to-Address Mapping
  4. Common Lookup Tools
  5. Naming Confusion Attack Vectors
  6. Dotted Names
  7. Name Formatting
  8. Exploited Anonymity
  9. Mail Servers
  10. Sender Policy Framework Overloading
  11. Domain Keys Overloading
  12. DNS Protocol
  13. Packet Information
  14. Simple DNS Server
  15. Distributed Architecture
  16. Top Level Domain Servers
  17. Generic Top Level Domain (gTLD)
  18. Secondary Level Domain (SLD)
  19. Primary and Secondary Servers
  20. Caching Servers
  21. DNS Management
  22. DNS Direct Risks
  23. DNS Performance versus Security
  24. DNS Cache Poisoning
  25. Corrupt DNS Packets
  26. DNS Domain Hijacking
  27. DNS Server Hijacking
  28. Dynamic DNS
  29. Similar Hostnames
  30. Domain Renewals
  31. Hostnames
  32. Zone Transfers
  33. Host Listing
  34. DNS Fields
  35. Mitgation Option
  36. Technical Threat Mitigation
  37. Social Threat Mitigation
  38. Defining Trusted Replies