C6.1 Description

The Domain Name System (DNS) is a critical Internet mechanism that primarily facilitates the conversion of globally unique host names into corresponding globally unique Internet Protocol addresses using a distributed database scheme. The DNS relies on a confidence model developed in an era of mutual trust that is vastly different from today's generally hostile Internet. Because of the changed nature of the Internet, the DNS is prone to many types of transaction attacks that take advantage of that trust, including cache poisoning, domain hijacking, and man-in-the-middle redirection.

During the past year, the following types of attacks have been carried out by botnets against DNS servers.

1. Recursion Denial of Service Attacks: A Botmaster publishes a large DNS record in a compromised DNS server or in a DNS server set up for this purpose. The botmaster then directs the botnet to send small UDP/53 queries to public recursive name servers with a forged return address pointed at the targeted victim. As a result, the recursive DNS servers, rather than the bots, directly attack the victim. This effect can be amplified further by making the DNS records larger than a typical UDP/53 response packet, thus forcing a TCP/53 transaction.

2. Spoofing Authoritative zone Answers: The botmaster establishes a fake web site (phishing site) on a compromised web server. The botmaster then directs the botnet to listen for requests and spoof DNS replies for a particular zone with an answer pointing to the compromised web server. A twist on this attack is to act locally on the bot-infected computer and modify the local hosts file with entries pointing to the fake web site.

C6.2 How to Determine If You Are at Risk

All Internet users are at risk of having incorrect data being returned from DNS queries. If scanning the DNS servers under your control shows that the current version or patch(es) released by the appropriate DNS software vendor have not been installed, your DNS server(s) are at risk.

A proactive approach to maintaining the security of any DNS server is to subscribe to one of the customized alerting and vulnerability reports, such as those available from SANS, Secunia, and others, or by keeping up with advisories posted at the Open Source Vulnerability Database (http://www.osvdb.org). In addition to security alerts, an updated vulnerability scanner can be highly effective in diagnosing any potential vulnerabilities in DNS servers. In addition the DNS server configuration should be reviewed and tested to ensure that inappropriate recursion or updates are not allowed.

C6.3 How to Protect against DNS Vulnerabilities

As with any software package, updates and patches to DNS server software must be applied as soon as they are available and have been tested for any impact to local network operations.

To protect against DNS vulnerabilities:

• Apply all vendor patches or upgrade DNS servers to the latest version. For more information about hardening a DNS installation, see the articles about securing name services as referenced in Center for Internet Security DNS BIND benchmark and the appropriate CIS benchmark for the OS platform.



• Apply appropriate firewall rules for any DNS servers inside a network that are not required to be accessible from the Internet.



• To secure the zone transfers between a primary and a secondary DNS server in a cryptographic way, configure the servers to use the DNS Transaction Signatures (TSIG).



• In Unix, to prevent a compromised DNS service from exposing one's entire system, restrict the service so that it runs as a non-privileged user in a chroot()ed directory (jail).



• Do not allow your recursive DNS servers to be used anything other than your own network blocks unless required. Firewalls or DNS configurations files can prevent this in most cases. Disabling recursion and glue fetching assists in defending against DNS cache poisoning.



• Consider signing your entire zone using DNS Security Extensions (DNSSEC).



• On most systems running BIND, the command "named -v" will show the installed version enumerated as X.Y.Z where X is the major version, Y is the minor version, and Z is a patch level. Currently the two major versions for BIND are 8 and 9. The Internet Systems Consortium recommends that all BIND users migrate to version 9 as soon as possible.



• DNS servers are integrated into many common products such as firewalls, enterprise network servers, and security appliances. All Internet-facing servers, appliances, and systems must be checked to ensure that any embedded DNS software is updated and maintained per the vendor's recommendations.



• Servers that are not specifically designed to support DNS transactions (for example, mail, web, or file servers) should not be running a DNS server application or daemon unless absolutely necessary.