Years ago I wrote a class that included a long section on configuring DNS – the Domain Name System the Internet uses to “resolve” human-readable names into machine-processable IP addresses. I focused on explaining how to make it work. In a later security course I explained issues with DNS and how BIND 9 would fix many of those issues. Now more attacks have been using DNS and it’s time to do more.
First, we need to think a bit about DNS and BIND in general. DNS is a protocol (or a collection of protocols and other specifications) and BIND (the Berkeley Internet Name Domain) is a piece of software (generally called named) implementing that protocol. Each can have flaws for multiple reasons. The biggest one here and in other protocol/implementation issues is that bad guys figured out how to use the normal function of the software in malicious ways.
Next, let’s consider the importance of updating Internet-facing software. Even if an issue with a protocol or service vulnerability doesn’t impact us, it may allow our systems to become attack vectors to be used to attack others. This is the issue with open mail relays. Fortunately most of those that were accidentally left open have been fixed.
Finally, we need to patch our DNS servers. An article that describes the issue and the fix is Arthur Grimes’ “How to stop your DNS server from being hijacked”. He discusses the issues of manipulating DNS results (as we discuss in Learning Tree’s System and Network Security Introduction) and the use of DNS in distributed denial-of-service attacks or DDoS. He discusses the fixes which include disabling open relays, the same fix we had for preventing those email attacks.
BIND isn’t the only choice for DNS. One poplar alternative is NSD, the Name Server Daemon. NSD is gaining in popularity and is used by some root servers and by some top-level-domains (TLDs). It is free and open source. I’ve not used NSD, but colleagues say the change is quite straightforward and NSD might replace BIND in the not-too-distant-future.
DNS and mail are only two vulnerable services on the Internet. More will be discovered, and more vulnerabilities in DNS and mail are likely to be discovered. It is important to upgrade these and other vulnerable services when bugs are discovered in order to protect not only our own systems, but those of others, too.
To your safe computing,
Discover the world-class Cyber Security courses Learning Tree offers.