DNS threats and mitigations
DNS data
Threats to DNS data can be caused by:
- lame delegation;
zone drift
zone updates are too slow;
zone thrash
zone updates are too fast;
eccessive information
HINFO/TXT records provides too much information.
DNS transactions
Query/Response
Forged or bogus query responses can be provided by the way of a compromides authoritative server or a poisoned resolver cache.
Removal of resource records or incorrect wildcars expansions can also happen.
Zone transfers
It is possibile to cause a denial of service by forcing transfer requestes to overload the master server.
Zone information can be tampered as well.
Dynamic updates
Unauthorized updates are possibile, as well as replay attacks (resubmit updates at a later time to cause invalid updates) and spurious notifications.
Possibile mitigations
DNS transaction threats can be mitigated by:
- applying IP based restrictions;
- enabling TSIG;
- enabling DNSSEC.
DNS software
- specific vulnerabilities
- inadequate configuration and data protection
The following actions can help to reduce risks related to DNS software threats:
- use the latest stable version and keep it up to date;
- turn off version query;
- restrict priviledges;
- isolate the processes responsible for managing DNS services;
- create separate instances for authoritative servers and resolvers (if needed).
Host platform
The platform hosting the DNS server can be prone to:
- OS/Application vulnerabilities;
- TCP/IP stack attacks;
- ARP spoofing;
- inadequate file access protection;
- host configuration corruption;
- DNS data/configuration corruption.
It is of utmost importance to apply patches in a timely fashion and to follow configuration reccomendations.