Networking / Beginners

BIND Security

Initially security was not considered a part of DNS because the main purpose of DNS was to help in communication. It was designed to be used by the public, and therefore, restricting users who can query the server was not considered during its design. But with the evolution of the Internet, many applications were developed that used IP addresses and host names as a basis for allowing or disallowing users to access their services. As a result, gradually ensuring correct information to users became very important, and therefore security became a part of DNS. By incorporating security, it has become risky for organizations that rely on the Internet for communicating with clients or other firms to provide false information.

Several problems are faced by the DNS, however. Some of these are discussed in the following sections.

Cache Poisoning

Cache poisoning is one of the main problems faced by the DNS, especially the older versions of BIND. Whenever a DNS server gets a query that cannot be resolved through its cache, it can pass it on to another DNS server. If the DNS server passes its query to another server which contains incorrect information, the original server caches the response from the second server, leading to cache poisoning. The malicious form of cache poisoning is also called DNS spoofing.

In spoofing, the users in control of a DNS server try to force the target DNS server to query their server. Once the target server queries, its cache can be easily poisoned. Early versions of BIND were very susceptible to such attacks.

Cache poisoning can lead to two major problems, as discussed in the following list:

  • A request made to a poisoned server for a particular domain name can lead to a failure. This is called denial of service.
  • The person controlling the rogue server can easily poison any server querying it and can act as a trusted source. This can be very harmful, especially for people who give out their credit card numbers and expiration dates on the Internet. This is known as masquerading.
[Previous] [Contents] [Next]