Host Name Spoofing
Apart from cache poisoning, a malicious user can give hundreds of DNS responses for a query and the querying server will accept them without authentication. This is termed cache flooding.
Other DNS server attacks include leakage of information through zone transfers. Host names can reveal certain things about the host, such as its operating system. This information can be useful to its rival hosts. DNS tools can be used to query a server continuously with different IP addresses of a particular domain. The unused IP addresses can be used to spoof the server and act as a host of that network. If another system is configured to trust the entire IP network, it is vulnerable to attack by an attacker using the unused IP address of the trusted IP network. The way to deal with it is to never configure your machine to trust an entire network; instead, mention explicitly the hosts of the network that can be trusted.
Restricting Queries
As discussed earlier, DNS was designed for public use, and therefore, the earlier versions of BIND did not include any option for restricting querying sources. Later, when the importance of security was realized, sub-statements like allowquery were added from Version 8. The allow-query directive can be used both as global option or in particular master/slave section. You learned about allow-query in the section, "BIND Configuration," earlier in this tutorial.
An example of allow-query is shown in the following code:
options { allow-query { 192.49.49/30; 192.59.59/30; }; };
The following code shows a sample of restricting queries in the zone you want to protect:
zone " example.com" IN { type slave; masters { 172.17.100.1 } file "db. example "; allow-query { "XYZ-NET"; }; };
Restricting Zone Transfers
Restricting zone transfers is considered more important than restricting queries. If you take another look at the "BIND Configuration" section, you will find an allow-transfer statement. The allow-transfer statement can limit zone transfers by specifying the hosts allowed to copy the database.
By using the allow-transfer statement in the master zone, the number of slaves who can transfer the master can be controlled. An example of the allow-transfer statement is shown here:
zone "example.com" IN { type master; file "db.example.com"; allow-transfer { 172.32.32.2; 172.42.42.4; }; };
The mentioned directives also can be used in slave and global configuration. By using them in slave, you can restrict hackers who can transfer zone in that particular slave.
In this tutorial:
- Linux Other Network Servers
- Setting the FTP User Account
- Configurations File for FTP Server
- ftpusers
- Anonymous FTP
- Using Proper Password and Group Files
- Anonymous FTP Warnings
- Sendmail
- Sendmail Security
- Domain Name Service
- Domain Name Space
- Services Offered By a DNS Server
- DNS Transactions
- BIND
- BIND Configuration
- Resource Records (RR)
- Start of Authority (SOA)
- nslookup
- BIND Security
- Host Name Spoofing
- Running BIND with Least Privileges
- DNS Security Extensions (DNSEC)
- SAMBA
- SMB Protocol
- Mounting the SMB File System
- SAMBA Security
- Server-Level Security