Threats to DNS Servers

Previous page
Table of content
Next page

Threats to DNS Servers

Because of Windows 2000 s dependence on the DNS name service, DNS servers are targets for attacks. Attackers can pose the following threats to the DNS service:

  • Overwriting existing DNS resource records and hijacking sessions

  • Acquisition of DNS zone data by performing unauthorized zone transfers

  • Exposure of the internal IP addressing scheme to the public network

  • Denial-of-service attacks that disable all DNS services

Modification of DNS Records

By supporting dynamic DNS updates, a Windows 2000 DNS server is susceptible to modification of DNS resource records if the security of the DNS server is not configured correctly. If attackers can modify a DNS resource record at a DNS server, they can redirect clients to a server impersonating the original server. Once the resource record is modified at the DNS server, all DNS clients receive the fraudulent information from the DNS service.

Alternatively, attackers might attempt to pollute the cache of the DNS server with false DNS information. When a DNS server responds to a DNS query, it first verifies that the requested DNS name exists in the DNS server s DNS cache. If the requested DNS resource record exists in the cache, the response is based upon the cached information. If attackers can modify or inject information into the DNS server s cache, the DNS server will send the modified response to the DNS clients, rather than contacting the authoritative DNS server for the zone.

Zone Transfer of DNS Data by an Unauthorized Server

The DNS zone contains SRV resource records and IP address information that can provide an attacker with the layout of the network and location of key Active Directory services. If attackers can obtain the DNS zone data, they can easily generate a diagram of the network.

The simplest way for attackers to gain the DNS zone data is to request a zone transfer of the zone data from an existing DNS server. The zone transfer moves all DNS zone data to the target server.

Exposure of Internal IP Addressing Schemes

When DNS is poorly designed, Active Directory information is published to DNS zones accessible from the Internet. The Active Directory information is required only on the private network, where network clients must authenticate with and connect to Active Directory resources.

If an external client must connect to Active Directory resources, Microsoft recommends you provide external clients access to the private network by deploying the Routing and Remote Access Service (RRAS) on a computer hosting virtual private network (VPN) connections. By connecting to the private network via a VPN, the client will have an IP address on the private network and can securely access an internal DNS server.

Denial-of-Service Attacks Against DNS Services

An attacker can prevent access to DNS services on the network by launching a denial-of-service attack against the DNS server. A denial-of-service attack will prevent the DNS server from responding to normal queries. Because of Active Directory s dependence on DNS for name resolution, the removal of the DNS service from the network via a denial-of-service attack will prevent network authentication and the resolution of host names on the network.


Previous page
Table of content
Next page
Microsoft Windows Security Resource Kit
Microsoft Windows Security Resource Kit
ISBN: 0735621748
EAN: 2147483647
Year: 2003
Pages: 189
Authors: Ben Smith, Brian Komar
BUY ON AMAZON
SQL Tips & Techniques (Miscellaneous)
Documenting Software Architectures: Views and Beyond
Postfix: The Definitive Guide
The New Solution Selling: The Revolutionary Sales Process That Is Changing the Way People Sell [NEW SOLUTION SELLING 2/E]
Special Edition Using FileMaker 8
Understanding Digital Signal Processing (2nd Edition)
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy