Security: Know your DNS

The Domain Name System (DNS), has been defined by RFCs 1034 and 1035. It is a  hierarchical, and distributed database used for providing a service to resolve names for various Internet applications. A zone as understood by everybody is a collection of nodes, forming a contiguous tree structure, with  the start of authority, or SOA. The purpose of SOA is to delegate the naming authority downward, to delegation points, terminating with leaf nodes. The elements of the SOA are made available from the DNS authority servers to recursive DNS servers.

Whenever DNS is queried, a resolver will traverse the DNS hierarchy and locates the appropriate authoritative DNS server and gets an answer. The resolver executes recursive queries through the hierarchical tree, and eventually reaches the nameserver that is authoritative for the specified query. Once that server is identified, the answer to the query is retrieved by the resolver, completing its query. The deployed DNS infrastructure supports the query,  of which Address (A) and Pointer (PTR) are the most common deployed queries.

DNS security as a generic term is used to address the following three functions:

• Zone Transfer Security.
• Dynamic DNS (DDNS) Security. .
• Zone Integrity

Of late there appears to be the start of a different  form of attack: the subversion of a host’s correct resolution path. In this attack, the client is directed to use a rogue DNS server, which provides incorrect answers to queries or selective manipulation of answers for the purposes of commercial gain, phishing or other abuse. In most cases, the users have no indication that the DNS answers are not what the correct authoritative DNS servers would provide. A classical example is the Ghost Click described in this blog.