Identifying DNS Security Threats
Updated: March 28, 2003
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
A DNS infrastructure is vulnerable to a number of types of security threats.
Footprinting The process of building a diagram, or footprint, of a DNS infrastructure by capturing DNS zone data such as domain names, computer names, and IP addresses for sensitive network resources. DNS domain and computer names often indicate the function or location of domains and computers.
Denial-of-service attack An attack in which the attacker attempts to deny the availability of network services by flooding one or more DNS servers in the network with recursive queries. When a DNS server is flooded with queries, its CPU usage eventually reaches its maximum and the DNS Server service becomes unavailable. Without a fully operating DNS server on the network, network services that use DNS are unavailable to network users.
Data modification The use of valid IP addresses in IP packets that an attacker has created to destroy data or conduct other attacks. Data modification is typically attempted on a DNS infrastructure that has already been foot printed. If the attack is successful, the packets appear to be coming from a valid IP address on the network. This is commonly called IP spoofing. With a valid IP address (an IP address within the IP address range of a subnet), an attacker can gain access to the network.
Redirection An attack in which an attacker is able to redirect queries for DNS names to servers that are under the control of the attacker. One method of redirection involves the attempt to pollute the DNS cache of a DNS server with erroneous DNS data that might direct future queries to servers that are under the control of an attacker. For example, if a query is made to example.contoso.com and a referral answer provides a record for a name that is outside of the contoso.com domain, the DNS server uses the cached data to resolve a query for the external name. Redirection can be accomplished when an attacker has writable access to DNS data, such as with non-secure dynamic updates.
For more information about common types of attacks, developing a security policy, and evaluating your level of risk, see "Designing an Authentication Strategy" and "Designing a Resource Authorization Strategy" in Designing and Deploying Directory and Security Services of this kit.