DNS threats and mitigations
Threats to DNS data can be caused by:
- lame delegation;
zone updates are too slow;
zone updates are too fast;
HINFO/TXT records provides too much information.
Forged or bogus query responses can be provided by the way of a compromides authoritative server or a poisoned resolver cache.
Removal of resource records or incorrect wildcars expansions can also happen.
It is possibile to cause a denial of service by forcing transfer requestes to overload the master server.
Zone information can be tampered as well.
Unauthorized updates are possibile, as well as replay attacks (resubmit updates at a later time to cause invalid updates) and spurious notifications.
DNS transaction threats can be mitigated by:
- applying IP based restrictions;
- enabling TSIG;
- enabling DNSSEC.
- specific vulnerabilities
- inadequate configuration and data protection
The following actions can help to reduce risks related to DNS software threats:
- use the latest stable version and keep it up to date;
- turn off version query;
- restrict priviledges;
- isolate the processes responsible for managing DNS services;
- create separate instances for authoritative servers and resolvers (if needed).
The platform hosting the DNS server can be prone to:
- OS/Application vulnerabilities;
- TCP/IP stack attacks;
- ARP spoofing;
- inadequate file access protection;
- host configuration corruption;
- DNS data/configuration corruption.
It is of utmost importance to apply patches in a timely fashion and to follow configuration reccomendations.