DNS threats and mitigations

DNS data

Threats to DNS data can be caused by:

  • lame delegation;
  • zone drift

    zone updates are too slow;

  • zone thrash

    zone updates are too fast;

  • eccessive information

    HINFO/TXT records provides too much information.

DNS transactions


Forged or bogus query responses can be provided by the way of a compromides authoritative server or a poisoned resolver cache.

Removal of resource records or incorrect wildcars expansions can also happen.

Zone transfers

It is possibile to cause a denial of service by forcing transfer requestes to overload the master server.

Zone information can be tampered as well.

Dynamic updates

Unauthorized updates are possibile, as well as replay attacks (resubmit updates at a later time to cause invalid updates) and spurious notifications.

Possibile mitigations

DNS transaction threats can be mitigated by:

  • applying IP based restrictions;
  • enabling TSIG;
  • enabling DNSSEC.

DNS software

  • specific vulnerabilities
  • inadequate configuration and data protection

The following actions can help to reduce risks related to DNS software threats:

  • use the latest stable version and keep it up to date;
  • turn off version query;
  • restrict priviledges;
  • isolate the processes responsible for managing DNS services;
  • create separate instances for authoritative servers and resolvers (if needed).

Host platform

The platform hosting the DNS server can be prone to:

  • OS/Application vulnerabilities;
  • TCP/IP stack attacks;
  • ARP spoofing;
  • inadequate file access protection;
  • host configuration corruption;
  • DNS data/configuration corruption.

It is of utmost importance to apply patches in a timely fashion and to follow configuration reccomendations.

© Alessandro Dotti Contra :: VAT # IT03617481209 :: This site uses no cookies, read our privacy policy for more information.