Windows DNS Security Overview
The Windows DNS Security Overview
Save the world with DNSSEC. Perhaps a little dramatic.
But consider this. Info World and Computerworld blamed a recent major Distributed Denial of Service or DDOs attack that affected thousands of servers, computers and users on poorly configured DNSSEC servers for the outage.
And in this article, a leader in the DNS community warn us of the perils of not updating our servers and not using DNS Security.
What is DNSSEC - Domain Name System Security Extensions (DNSSEC) is a suite of extensions that add security to the Domain Name System (DNS) protocol by enabling DNS responses to be validated
Why do we need to worry about deploying DNSSEC? (Domain Name Security
Extensions). Because DNS does not offer any form of security, it is vulnerable to spoofing, man-in-the-middle, and cache poisoning attacks. Attacks of this kind can compromise all future communications to the host. For this reason, it has become critical to develop a means for securing DNS.
DNSSEC fixes Cache poisoning, which is a long standing potentially crippling vulnerability in the Domain Name System - Cache Poisoning is inducing a name server to cache bogus resource records. Those records might map the domain name of a popular website -- say, www.amazon.com -- to the IP address of a Web server under the control of thieving hackers. That Web server may serve content that's indistinguishable from Amazon’s real content; in fact, the Web server may just proxy content from the real www.amazon.com. Unsuspecting users may enter valuable information at the impostor’s website, where it's recorded and used to break in to those users' accounts, running up charges, and so on.
Here is a very simple illustration of cache poisoning.
The victim sends out a query to the local DNS server for the popular website www.amazon.com. The query from the victim is either observed or predicted by the bad guy. The attacker then beats the name server to a response sending corrupt DNS data to the server’s cache and the victim is sent to a malicious website.
How does Microsoft DNSSec address cache poisoning?
Basically, DNSSec addresses cache poisoning by allowing the administrators of DNS zones to digitally sign their zone data, in this way DNS servers and resolvers create a chain of trust which enables them to trust the DNS responses by using digital signatures for validation.
This illustration should clarify how Windows DNSSEC addresses Cache Poisoning.
A user types Usoft.com into their computers browser. The request goes to the Local DNS server which does not have the Domain Name or IPaddress for Usoft in its local cache so it passes the request on to the next DNS server. The ISP DNS server can’t help either so it passes the request onto the root server which is a DNSSEC enabled server. The root hints server (also known as a trust anchor) or starting point contains a key that is used to create digital signatures for DNS data that is passed between servers or the client.
The root server doesn’t have the IPaddress or the host name for usoft.com but because the request is for a .com, the root DNS server sends the request to the .com server which is a DNSSEC enabled server. The .com server looks in its cache and in this case, is able to find www.Usoft.com and sends the request to the Usoft.com DNSSEC enabled DNS server. Which sends the IPaddress for www.Usoft.com to the local user.
Sign up to access the rest of this lesson
You must either log in or sign up to access this lesson.