The Fragility of DNS

Despite costly and complex efforts to protect their Domain Name Systems, companies are still experiencing denial-of-service, pharming, and cache poisoning attacks.

July 17, 2007

2 Min Read
Network Computing logo

A recent study conducted by Mazerov Research and Consulting suggests that despite a multitude of costly and elaborate efforts to keep Domain Name Systems protected, companies are still suffering from a barrage of denial-of-service, pharming, and cache poisoning attacks.

In the past year, Symantec's DeepSight system reported 25 vulnerabilities on various DNS servers and resolvers; eight of them are server or client denial-of-service attacks, eight are buffer overflows, and the remaining are a mix of DNS spoofing and access attacks. DNS is highly reliable, but it's not trustworthy and the difference goes unnoticed until there's an attack.

Server vulnerabilities that exploit application flaws can be fixed by patching, but DNS denial-of-service attacks and cache poisoning are much more difficult to combat. DNS queries are UDP-based and as such are easily spoofed. Launching a denial-of-service attack that spoofs the originating IP address against a company's DNS server is pretty easy, and there isn't much you can do about it except over-provision your DNS server and work closely with your service provider to mitigate the attack.

Cache poisoning is much more damaging, whether your DNS server cache is poisoned, your hosts cache is poisoned, or someone is redirecting your zone to their DNS server. When a host needs to resolve a name to an IP, it asks its DNS server to do the work. The DNS server, if it doesn't know the answer, starts to walk down the DNS tree from the root to the authoritative name server. It will accept the first properly formatted response as authoritative, and therein lies the problem. Your DNS server, or host, takes what it's told on faith.Unfortunately, there aren't many good solutions to cache poisoning either. The most promising solution, the IETF's DNS Sec, which is a standard for signing requests using public key cryptography, isn't widely deployed on DNS servers or on client computers.

While survey respondents may use, on average, 3.5 different solutions to harden their DNS, it's really plug and pray.

SUBSCRIBE TO OUR NEWSLETTER
Stay informed! Sign up to get expert advice and insight delivered direct to your inbox
Sign-Up

You May Also Like

More Insights
Webinars
More Webinars
Reports
More Reports

Editor's Choice

Nextgen network management
Network Management
Nextgen Network Management: What’s Next and Are We Ready?Nextgen Network Management: What’s Next and Are We Ready?
byMary E. Shacklett, President, Transworld Data
May 27, 2024
4 Min Read
SASE Explained: Definition, Benefits, and Best Practice
SASE Networking
SASE Explained: Definition, Benefits, and Best PracticeSASE Explained: Definition, Benefits, and Best Practice
bySalvatore Salamone, Managing Editor, Network Computing
May 1, 2023
22 Min Read
NaaS 2024: A Look at the Future of Network Services
Network Infrastructure
NaaS 2024: A Look at the Future of Network ServicesNaaS 2024: A Look at the Future of Network Services
byPascal Menezes, MEF
Mar 22, 2024
5 Min Read
Webinars
More Webinars
White Papers
More White Papers
Reports
More Reports
Live Events
More Live Events
May 2, 2024
While there are plentiful options in cyber resiliency and business continuity tools and platforms, there isn’t one that can knock out everything from sudden cloud outages to prolonged ransomware attacks in a single punch. What can you do to keep the company on its feet no matter what is thrown at it? Find out in this new virtual event.
Reserve Your Seat