Networking / Beginners

DNS Direct Risks

DNS has the reputation of being the most insecure protocol on the Internet. The fundamental security flaw in DNS revolves around the assumed trust between DNS servers: DNS systems assume that servers do not intentionally provide misinformation. Moreover, the DNS protocol provides no means for authenticating clients with servers, and vice versa. The lack of authentication permits attackers to target the trust relationship.

DNS is vulnerable to a variety of trust-based attacks. These attacks include unauthenticated responses, cache poisoning, and blind ID attacks. In addition, some DNS implementations are vulnerable to corrupt DNS packets.

Unauthenticated Responses

DNS uses a session identifier to match requests with replies, but the session identifier provides no authentication. An attacker that observes a DNS request can forge a DNS reply. The false reply includes the observed session identifier. The result is an unauthenticated response that appears authentic. The attacker may even set the authoritative flag in the packet, removing any doubt as to the data's accuracy. The requester receives the reply and accepts the unauthenticated response. The result is an attacker that can control the hostname lookups and consequently redirect victim connections.

[Previous] [Contents] [Next]

In this tutorial:

  1. Domain Name System (DNS)
  2. DNS Common Uses
  3. Hostname-to-Address Mapping
  4. Common Lookup Tools
  5. Naming Confusion Attack Vectors
  6. Dotted Names
  7. Name Formatting
  8. Exploited Anonymity
  9. Mail Servers
  10. Sender Policy Framework Overloading
  11. Domain Keys Overloading
  12. DNS Protocol
  13. Packet Information
  14. Simple DNS Server
  15. Distributed Architecture
  16. Top Level Domain Servers
  17. Generic Top Level Domain (gTLD)
  18. Secondary Level Domain (SLD)
  19. Primary and Secondary Servers
  20. Caching Servers
  21. DNS Management
  22. DNS Direct Risks
  23. DNS Performance versus Security
  24. DNS Cache Poisoning
  25. Corrupt DNS Packets
  26. DNS Domain Hijacking
  27. DNS Server Hijacking
  28. Dynamic DNS
  29. Similar Hostnames
  30. Domain Renewals
  31. Hostnames
  32. Zone Transfers
  33. Host Listing
  34. DNS Fields
  35. Mitgation Option
  36. Technical Threat Mitigation
  37. Social Threat Mitigation
  38. Defining Trusted Replies