DNS Server Hijacking

DNS servers can be hijacked. The hijacked server can be configured to provide different host information or include new hostnames. DNS hijacking generally takes one of two forms: system compromises and IP hijacking.

DNS System Compromise

A DNS server runs as an application on a computer system. If an attacker can gain access to the computer system, then the attacker can gain access to the DNS server. This means that the server is vulnerable to any potential compromise to the hosting system. For example, if the host is running an old print server that is vulnerable to a remote exploit, then the DNS server is vulnerable due to the remote exploit.

To mitigate the risk of a system compromise, critical DNS servers should run on hardened systems. A hardened system has all unnecessary network services disabled. In the case of DNS, the DNS server should be the only accessible network service. In reality, most large companies provide SSH for remote administration, but all other services are disabled.

DNS IP Hijacking

DNS is an OSI layer 5 protocol. This means that it is vulnerable to all lower-layer risks. Because most DNS servers operate using UDP or TCP over IP, they are vulnerable to IP (and ARP) hijacking. If an attacker can intercept the IP (or ARP) packets, then the attacker can impersonate the DNS server. Although very rare, this style of DNS hijacking can be very damaging.

Update Durations

Caching DNS servers associate a timeout with each DNS item. The timeouts prevent data from becoming invalid as host configurations change. Unfortunately, if the timeout value is too high, then changes cannot be performed immediately. For example, if the Web server www.local.lan resides at 10.1.2.3, then it cannot be immediately moved to 10.1.2.4. If the administrators immediately relocate the host, then caching servers will point to the wrong address. Instead, both IP addresses should be functional during the transition period.