DNS Security Overview

Without DNS, the Internet would not work but most people don’t know what DNS is. DNS stands for Domain Name Services and provides the mapping of IP names to IP addresses as well as some other mappings. DNS automatically converts the names we type in the address bar of our web browser to the corresponding IP addresses. In order to find a web server, IP addresses are used but humans prefer to use host names which are much easier to remember.

DNS has no central database, instead it is made up of thousands of DNS servers which are responsible for the IP addresses of one or more subnets. This is a very flexible solution which works very well for a huge network like the Internet. But it also has a number of potential security issues.

In the good old days, security was seldom a problem on the Internet. Most services and protocols were designed without paying any attention to security. DNS was no exception, it had virtually no security in the early days. BIND, Berkeley Internet Name Domain, was the most widely used implementation of the DNS protocol. BIND is still used today and fortunately, it has become reasonable secure.

But the first versions of BIND did not really have any security at all, it was first in the mid 1990s that DNS security become an urgent issue. In the early days, it was easy to get the complete zone from a DNS server, giving an attacker the names and IP addresses of all computers in a network. The name server trusted everyone, something that made DNS cache poisoning very easy. The DNS server would accept any DNS information it received, regardless of source or if it had asked for the information or not.

DNS cache poisoning was first used as a joke by some technically gifted students but it could also be used for criminal purposes. It is easiest to explain by using an example, let’s say you need to pay a bill and your bank is mybank.com. You open an Internet browser and go to mybank.com. In order to find the site, your computer needs the IP address for mybank.com so it asks the DNS server. In this case, a DNS cache poisoning attack requires two things, a fake record in the DNS cache giving a false IP address for mybank.com and a site that looks like real mybank.com site.

Your computer gets the false IP address from the DNS server and your browser goes to the false mybank.com site. The site looks real so you log in and your login credentials will be recorded by the attacker. Now the attacker has got what he wanted and he may now redirect you to the real mybank.com site and log you in automatically, minimizing the chance that you get suspicious. But DNS cache poisoning can also be used to install malware on your computer. You may think that you are downloading patches or updates from Microsoft but instead you are downloading from a bogus site which installs additional software onto your computer.

Nowadays, DNS servers are not that gullible but DNS cache poisoning is still a threat. One reason for this is that many DNS servers are still running old DNS software which is not as secure as the latest versions. It is also possible to poison the cache on your personal computer. This is not as efficient as attacking a DNS server since only one computer will be directed wrongly. But it can still create a lot of trouble for individual computers and users.

Leave a Reply