The DNS (Domain Name System) is an essential tool on the Internet that provides a mechanism for host name resolution into IP addresses. The insecurity that underlies protocols and integrity checking coupled with the lack of authentication in the information within DNS threatens its functionality. The Internet Security Task Force is under intense work on DNS security to increase their safety, called DNSSEC.
We take DNS for granted. In our daily hustle over the internet, we use software that automatically connects to the web, without using the host name. We never think about what goes in the background when opening a browser and keying in the URL. It is always a huge convenience to use names instead of IP addresses. Humans remember names more often than numbers. When placing a phone call, we remember the name of the individual rather than their phone numbers. Imagine having to remember the IPv4 of the host name of the website to visit instead of the website name. It is virtually impossible to remember the 128-bit IPv4 address. This makes a reliable DNS an absolute necessity.
The problem is here. When security was not an issue, DNS was designed in the olden days for the internet. Only educational institutions and government agencies used the internet. Given the high importance of DNS to a network, it is clear that dns security is very vital. Here are the most common targeted threats against DNS servers.
Zone Information Leakage: This can occur when an intruder gains access to critical information about the roles of servers. For instance, the attacker may gain access to a server by the name PAYROLL to find valuable information.
Zone File Comprise: This attack is not necessarily extreme. It can be done by anyone with slight information about DNS. This can be an insider or someone logged on over Telnet. Ensure that the DNS server is under lock to minimize unauthorized entry.
Cache Poisoning: DNS communicate with other servers using cache queries. An intruder can take advantage of that and send a malicious query to manipulate the servers to issue unauthorized information.
DNS Client Flooding: DNS queries are not authenticated. This means it is easy to create several DDos attacks on DNS and render it disabled.
Compromised Dynamic Updates: Attackers will take advantage of unsecured updates because this allows any host to have its address registered without authentication. This wreaks havoc.