Defining Trusted Replies

DNS servers normally provide no notion of trust. A DNS client cannot determine whether a reply is valid. The DNS Security Extensions (DNSSEC-http://www. dnssec.net/) provide signatures for authenticating information and digitally signs every response. However, DNSSEC requires authentication keys to be distributed prior to use. If the keys are not shared prior to the lookup, then the client has no means to validate the authentication. In addition, DNSSEC does not prevent domain hijacking-a server that supports DNSSEC can sign results for a domain that it is impersonating. DNSSEC only authenticates the server, not the content.

More common than DNSSEC, companies usually mange two DNS servers: one in the LAN and one in the WAN. The LAN server provides DNS support to all internal hosts. This prevents an external hijacker from compromising DNS queries that stay within the local network. The WAN DNS server provides information to external hosts and remains vulnerable.

Alternate Resolution Methods

There are other domain name resolution methods besides DNS. These include static files (e.g., /etc/hosts), LDAP, and NIS. Although alternate solutions work well within local networks, only DNS is widely supported between external networks.

For critical systems, DNS should not be used as a trusted information source. Instead, network addresses should be stored in local host files or resolved through trusted naming services. When authentication is required, other network protocols should perform security checks. For example, DNS may resolve a hostname to a network address, but IPv6, IPsec, SSH, SSL, or Kerberos should authenticate the resolved host.

Note Many secure protocols perform authentication through a third-party host. In this situation, the authentication authority should not be identified through DNS. If the authenticating authority is identified using DNS, then an attacker can change the DNS entry for the authenticator. This can make it possible for the attacker to authenticate his own server.