Cache poisoning attacks and how to prevent them

Cricket Liu

Infoblox recently sponsored a study by The Measurement Factory to determine how vulnerable name servers on the Internet are to various types of attack. The results were alarming: of 1.3 million name servers surveyed, more than 75 percent allowed recursive queries from arbitrary IP addresses. Such name servers are more vulnerable to cache poisoning attacks than name servers that deny recursive queries or that only allow recursive queries to a set of authorized queriers. About 40 percent of the name servers sampled allowed zone transfers from arbitrary IP addresses. This could be exploited to mount a denial of service attack against the name server. And, in roughly a third of the cases, all of the name servers serving a particular zone were on the same /24 network, making both accidental and deliberate denials of service more likely.

More on this topic Browse admin tips DNS security How DNS works Expert Cricket Liu: Integration of Internet protocols; A critical year for the IETF Browse network security tips

In the interest of keeping this a safe Halloween, here's a checklist of measures you can take to secure your DNS infrastructure:

1. Restrict recursion to only authorized queriers, or disable it entirely. You set your name servers up for a particular purpose: to answer queries about your zones, to serve your internal resolvers' and name servers' queries about Internet domain names, or both. If your name servers are dedicated to answering queries from other name servers on the Internet and nothing else, disable recursion. If your name servers' exclusive function is to resolve Internet domain names for internal clients, restrict queries to those coming from your internal address space. If your name servers serve both functions, consider splitting the two functions between two sets of name servers and securing each set as already described. If you can't split the functions, at least restrict access to recursion to your internal address space.
2. Restrict zone transfers to authorized secondary name servers. Most folks on the Internet don't need to be able to transfer entire zones from your name server. (There are some exceptions: For example, some DNS Registries require the ability to transfer zones from their registrants' name servers.) Restrict zone transfers to your name servers' authorized secondary name servers, using TSIG, if possible. On secondary name servers that shouldn't serve zone transfers, disable them entirely.
3. Use forwarders to limit exposure. You could provide Internet name resolution by letting all of your internal name servers communicate directly with name servers on the Internet. But if your name servers turned out to have a vulnerability that allowed a hacker to crash them with a mal-formatted response, you'd have a lot of work on your hands to upgrade all of the exposed name servers. Instead, funnel Internet name resolution through a smaller set of name servers designated as forwarders. These can be sandwiched between your internal and external firewall, so that any compromise would be compartmentalized and wouldn't expose your internal network.
4. Run the latest name server software. Our study also showed the only half of the name servers in the sample ran the latest name server code. Older name servers suffer from bugs and vulnerabilities, so it's wise to upgrade to a modern version of the software. For BIND name servers, that's something that begins with 9.2, or even 9.3.
5. Secure the platform. The name server software itself isn't always the vector a hacker uses to attack a name server. In addition to securing the name server, you need to secure the underlying operating system platform. You'll have to disable unnecessary network services and remove unnecessary accounts, for example. (Of course, if you buy an appliance, this is done for you.)
6. Check your work. BIND name servers, in particular, are hypersensitive to syntax. One seemingly innocuous mistake in a zone data file or named.conf file can have shockingly far-reaching effects, causing SERVFAIL responses to queries or even preventing your name server from restarting. The newest versions of BIND ship with two invaluable utilities, named-checkconf and named-checkzone, which you can use to check the syntax of your named.conf and zone data files before reloading. Or use a GUI to insulate you from the complexity of the underlying syntax.
7. Limit administrative access. On hosts running name servers, make sure that only authorized users have administrative access, and log their activity. This can be tricky on Unix- and Linux-based hosts, where a user with root access can do anything. But your OS may support more compartmented administrative access, or you may be able to rig something up using sudo, for example. Some commercial products also provide these capabilities.

Cricket is Infoblox's vice president of architecture and serves as a liaison between Infoblox and the DNS user community. He worked for Hewlett-Packard for nearly ten years, where he ran hp.com, one of the largest corporate domains in the world, and helped found HP's Internet consulting business. Cricket later co-founded his own Internet consulting and training company, Acme Byte & Wire. After Network Solutions acquired Acme Byte & Wire and later merged with VeriSign, Cricket became director of DNS Product Management.

Rate this Tip To rate tips, you must be a member of SearchNetworking.com. Register now to start rating these tips. Log in if you are already a member. Submit a Tip Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Network Engineering Testing LAN switch power consumption: A best practices guide Desktop virtualization network requirements Preventing hacker attacks with network behavior analysis IPS Internal cloud computing on the cheap: Free automated provisioning? Improved storage performance without adding more disk Troubleshooting -- 'Network Know-How' Chapter 17 Windows Server 2008 IP routing configuration: Static and dynamic RIPv2 Understand Windows tracert output to troubleshoot network connectivity Using tracert and TTL to troubleshoot network connectivity problems 10 Gigabit Ethernet interconnect solutions: Investigate carefully before choosing Network Security Application-specific network intrusion detection systems emerge Anomaly-based intrusion protection configuration and installation Preventing hacker attacks with network behavior analysis IPS Rogue access points: Preventing, detecting and handling best practices The TPM chip: An unexploited resource for network security Shifting defenses and dynamic perimeters challenge network security Compliance in a virtualized world: Server virtualization and NAC security Securing the new network architecture: Security for distributed, dynamic networks How to configure Windows Server 2008 advanced firewall MMC snap-in USB storage devices: Two ways to stop the threat to network security Network Security Monitoring and Analysis Application-specific network intrusion detection systems emerge Anomaly-based intrusion protection configuration and installation How can I calculate perimeter firewall throughput? How do I find the application on my network that's dropping packets? Integrating NAC with network security tools Where can I find a sample security audit report? How can I run my own? The firewall remains the network traffic cop, but its role is changing Troubleshooting VLANs: How to monitor 802.1q tagged traffic Poor data-loss prevention practices almost cost Intel a billion How can I block my competitor's IP address range from my website? RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary deep packet inspection (DPI)  (SearchNetworking.com) FCAPS  (SearchNetworking.com) Nessus  (SearchNetworking.com) netstat  (SearchNetworking.com) port mirroring  (SearchNetworking.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.