The Fragility of DNS

Despite costly and complex efforts to protect their Domain Name Systems, companies are still experiencing denial-of-service, pharming, and cache poisoning attacks.

July 17, 2007

2 Min Read
NetworkComputing logo in a gray background | NetworkComputing

A recent study conducted by Mazerov Research and Consulting suggests that despite a multitude of costly and elaborate efforts to keep Domain Name Systems protected, companies are still suffering from a barrage of denial-of-service, pharming, and cache poisoning attacks.

In the past year, Symantec's DeepSight system reported 25 vulnerabilities on various DNS servers and resolvers; eight of them are server or client denial-of-service attacks, eight are buffer overflows, and the remaining are a mix of DNS spoofing and access attacks. DNS is highly reliable, but it's not trustworthy and the difference goes unnoticed until there's an attack.

Server vulnerabilities that exploit application flaws can be fixed by patching, but DNS denial-of-service attacks and cache poisoning are much more difficult to combat. DNS queries are UDP-based and as such are easily spoofed. Launching a denial-of-service attack that spoofs the originating IP address against a company's DNS server is pretty easy, and there isn't much you can do about it except over-provision your DNS server and work closely with your service provider to mitigate the attack.

Cache poisoning is much more damaging, whether your DNS server cache is poisoned, your hosts cache is poisoned, or someone is redirecting your zone to their DNS server. When a host needs to resolve a name to an IP, it asks its DNS server to do the work. The DNS server, if it doesn't know the answer, starts to walk down the DNS tree from the root to the authoritative name server. It will accept the first properly formatted response as authoritative, and therein lies the problem. Your DNS server, or host, takes what it's told on faith.Unfortunately, there aren't many good solutions to cache poisoning either. The most promising solution, the IETF's DNS Sec, which is a standard for signing requests using public key cryptography, isn't widely deployed on DNS servers or on client computers.

While survey respondents may use, on average, 3.5 different solutions to harden their DNS, it's really plug and pray.

SUBSCRIBE TO OUR NEWSLETTER
Stay informed! Sign up to get expert advice and insight delivered direct to your inbox

You May Also Like


More Insights