Back from an ISSA Belgian Chapter event about DNS & Security. As says Kris Buytaert on his blog: “Everything is a Freaking DNS problem!“.
Today’s speaker was Marc Lampo who has a great DNS experience (a long time ago, he gained several years of experience as hostmaster while working for a Belgian ISP). After reviewing the basic of the Domain Name System, Marc came back on Dan Kaminsky’s research about DNS cache poisoning. Without DNS, the Internet cannot be used and DNS security is, helas, not often considered as critical as it should be. DNS can be the target of attacks (like DDoS) but they can also be used to conduct attacks!
After the introduction, Marc focused on the cache poisoning problem. He explained step by step the different types of attacks but also gave some ways to mitigate the risks by reducing the surface of the attack:
- Do not access directly the Internet from clients side (use proxies)
- Do not allow recursive DNS from the wild Internet
- Use different layers of servers (do not let your cache DNS access directly the Internet)
- Deploy firewalls between the DNS servers (to prevent spoofing)
- If you use NAT, use a dedicated IP address to resolve domain names
- Use your own root server!
About the last option (to use your own root server), Marc mentioned an interesting way to deploy a DLP solution (at low cost), I’ll come back on this in a future article.
After a break, the second part of Marc’s presentation was about DNSSEC. I already spoke about DNSSEC during my review of the second RSA Europe Conference day. He explained from the beginning what’s the purpose of DNSSEC (the new types of records) and gave an overview of the “market” (how the different caching DNS available handle DNSSEC records today). It’s clear that more and more TLD’s will be protected soon (btw, nothing announced in Belgium). Interesting to keep in mind, DNSSEC increases drastically the size of UDP packets (some could event be bigger then 2KB). This explains why more and more DNS traffic is detected over TCP. Also, to be fully secure, the whole chain must be signed to ensure a good security: The root zone (“.”), the TLD and the zone itself. And even with this situation, take care of zone redirection like CNAME’s!
From my point of view, I did not learn any “breaking news” about DNS but it was pleasant to listen to Marc. A great talker! And, as usual, security awareness is always good! 😉