DNSSEC: Security for Essential Network Services - Page 2

 By Beth Cohen
Page 2 of 4   |  Back to Page 1
Print Article

DNS Security Vulnerabilities

Ever since Paul Mockapetris published the original DNS architecture document in 1984, DNS has been the bedrock network service that supports the Internet. DNS has worked flawlessly for many years, but it was designed long before anyone was aware of the Internet security issues that have since developed. As the Internet has become an accepted part of the general community and no longer the province of a small club of highly technical engineers, integrity threats and the need for security awareness have increased.

Because DNS is a UDP-based (User Datagram Protocol) network service, it has a number of major inherent security vulnerabilities. Most are instances of more general problems, but a few are inherent to peculiarities of the DNS protocol itself. Unlike TCP (Transmission Control Protocol), UDP does not have a mechanism for verifying a packet source, which makes it very vulnerable to source packet spoofing and inception attacks. There are four major points of attack: cache spoofing, traffic diversion, denial of service attacks on the top-level domain servers themselves, and buffer overruns. Cricket Liu, Executive VP, InfoBlox, Inc., and author of O'Reilly's "DNS & BIND," notes that there have been recent attacks on the DNS infrastructure using each of the known DNS vulnerabilities.

Cache Spoofing

How does a slave (secondary) know it is talking to the proper master (primary)? Because it is using UDP for communications, the data source is not verifiable, and the DNS data can be spoofed or corrupted on its way between the upstream primary server and the secondary slave. This is a major hole in the protocol. As the IETF threat analysis paper puts it, "The DNS protocol does not allow you to check the validity of DNS data. While packet interception attacks are far from unique to DNS, DNS's usual behavior of sending an entire query or response in a single unsigned, unencrypted UDP packet makes these attacks particularly easy for any bad guy with the ability to intercept packets on a shared or transit network."

When Kashpureff spoofed the servers, he inserted some additional code into his machine's standard DNS queries that forced victims' machines to respond to his servers. When they did, an extra "A record," was sent to the victim's name server that included information on how to connect to Kashpureff's domains. Kashpureff did it partially as a publicity stunt for his alternative domain namespace company, but the distributed and hierarchical nature of the data meant that corrupted DNS data might end up in downstream caches where it could persist. Caching servers have a variable TTL (Time to Live). If the TTL value is set very high -- a week for example -- the corrupted data can cause harm for quite some time.

Traffic Diversion

Another common attack is where "falsified" DNS responses divert traffic away from the intended site. The socially engineered "hijacking" of aljazeera.net -- the Al Jazeera website -- apparently by US-based pro-war extremists is a good example. In this case, information about the ownership of the domain was modified so that it no longer pointed to the correct set of servers. If a user attempted to access the site, they saw the "hacked" web pages even though the Al Jazeera site itself wasn't touched.

Buffer Overruns

BIND, the software that handles the DNS requests, has several built-in vulnerabilities to buffer overrun attacks. These are well-known holes where large numbers of service requests cause the software to overrun into memory buffers not allocated to the program. These can be exploited in a number of nefarious ways to cripple the application or bring down the server. A recent and very disturbing example was the Li0n worm exploitation of a hole in a series of March-April 2001 attacks on the TSIG (Transaction Signature) code (part of the new DNSSEC BIND implementation).

Distributed Denial of Service Attacks
DDoS (Distributed Denial of Service) attacks are simple to mount and incredibly difficult to prevent. Because ICMP requests are the basic mechanism used to monitor the health of the Internet, it is nearly impossible to secure this against attack. The hierarchical nature of DNS, combined with the tiny number of top-level domain servers, makes them particularly tempting hacker targets as was confirmed by the October attack mentioned earlier.

Page 3: How DNSSEC Works

This article was originally published on May 12, 2003
Get the Latest Scoop with Networking Update Newsletter