Initially security was not considered a part of DNS because the main purpose of DNS was to help in communication. It was designed to be used by the public, and therefore, restricting users who can query the server was not considered during its design. But with the evolution of the Internet, many applications were developed that used IP addresses and host names as a basis for allowing or disallowing users to access their services. As a result, gradually ensuring correct information to users became very important, and therefore security became a part of DNS. By incorporating security, it has become risky for organizations that rely on the Internet for communicating with clients or other firms to provide false information.
Several problems are faced by the DNS, however. Some of these are discussed in the following sections.
Cache poisoning is one of the main problems faced by the DNS, especially the older versions of BIND. Whenever a DNS server gets a query that cannot be resolved through its cache, it can pass it on to another DNS server. If the DNS server passes its query to another server which contains incorrect information, the original server caches the response from the second server, leading to cache poisoning. The malicious form of cache poisoning is also called DNS spoofing.
In spoofing, the users in control of a DNS server try to force the target DNS server to query their server. Once the target server queries, its cache can be easily poisoned. Early versions of BIND were very susceptible to such attacks.
Cache poisoning can lead to two major problems, as discussed in the following list:
- A request made to a poisoned server for a particular domain name can lead to a failure. This is called denial of service.
- The person controlling the rogue server can easily poison any server querying it and can act as a trusted source. This can be very harmful, especially for people who give out their credit card numbers and expiration dates on the Internet. This is known as masquerading.
In this tutorial:
- Linux Other Network Servers
- Setting the FTP User Account
- Configurations File for FTP Server
- Anonymous FTP
- Using Proper Password and Group Files
- Anonymous FTP Warnings
- Sendmail Security
- Domain Name Service
- Domain Name Space
- Services Offered By a DNS Server
- DNS Transactions
- BIND Configuration
- Resource Records (RR)
- Start of Authority (SOA)
- BIND Security
- Host Name Spoofing
- Running BIND with Least Privileges
- DNS Security Extensions (DNSEC)
- SMB Protocol
- Mounting the SMB File System
- SAMBA Security
- Server-Level Security