Network Computing is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

The Fragility of DNS

A recent study conducted by Mazerov Research and Consulting suggests that despite a multitude of costly and elaborate efforts to keep Domain Name Systems protected, companies are still suffering from a barrage of denial-of-service, pharming, and cache poisoning attacks.

In the past year, Symantec's DeepSight system reported 25 vulnerabilities on various DNS servers and resolvers; eight of them are server or client denial-of-service attacks, eight are buffer overflows, and the remaining are a mix of DNS spoofing and access attacks. DNS is highly reliable, but it's not trustworthy and the difference goes unnoticed until there's an attack.

Server vulnerabilities that exploit application flaws can be fixed by patching, but DNS denial-of-service attacks and cache poisoning are much more difficult to combat. DNS queries are UDP-based and as such are easily spoofed. Launching a denial-of-service attack that spoofs the originating IP address against a company's DNS server is pretty easy, and there isn't much you can do about it except over-provision your DNS server and work closely with your service provider to mitigate the attack.

Cache poisoning is much more damaging, whether your DNS server cache is poisoned, your hosts cache is poisoned, or someone is redirecting your zone to their DNS server. When a host needs to resolve a name to an IP, it asks its DNS server to do the work. The DNS server, if it doesn't know the answer, starts to walk down the DNS tree from the root to the authoritative name server. It will accept the first properly formatted response as authoritative, and therein lies the problem. Your DNS server, or host, takes what it's told on faith.

  • 1