Website Monitoring Blog

In hierarchical structure of Internet DNS servers may be called nerve knots which directly influence the whole existence of the Internet. What can threaten their “health”? What can put them out of action? And can one protect DNS servers? Before we answer the questions, let’s see what task DNS servers carry out. In a few words, the main mission of DNS servers is translation of domain names into IP addresses and back. This means, servers must get requests, process them and send responses. DNS servers must keep data about supported network addresses; they exchange requests with servers of higher level in case they cannot give a response on their own. That’s enough to see what dangers potentially threaten DNS servers.

The first threat is virus attacks. Virus infection may lead to disastrous consequences: data leakage, destruction of all the information, server software destruction or just server blocking caused by inability to process all the incoming requests. On the most famous example of the latter case was root DNS servers attack in October, 2002. This attack resulted in freezing of 7 root servers (there were 13 overall), and all the Internet operation got under the threat of stopping. The attack was performed by data flood: 13 servers containing information about top-level domains (.com, .org, etc.) were flooded with ICMP packets. When the attack was over, experts said that if it had continued for more than 10 hours, the Internet users would have seen significant Internet slowdown and then even suspension of work.

Why the root DNS attack may have such serious consequences? The reason is the hierarchical structure of DNS servers. The first request goes to the local server. If the requested domain name cannot be found, the request goes further, to a higher-level server. Requests usually reach the root servers when new domain names appear on the Net. Furthermore, every record on DNS servers has a limited time to live (TTL), and when a record has expired, the server sends a request to a DNS server of a higher level. Since new domain names are added daily, the information on lower-level servers gets outdated. This explains why if root servers are disabled, Internet will work for a while but then will stop.

The second threat is false DNS servers. This phenomenon has been developed by malefactors. The malefactors may pursue different objects, the gist is always the same: to make a real server work in a wrong way or block it. The victims of such attacks are DNS servers as well as end users. If a malefactor succeeds in providing a host with counterfeit DNS information, the host will send data to a counterfeit IP address. At the best the end user won’t be able to surf Internet or use Internet services. At worst, the confidential data from the host may be sent to a malefactor’s server.

How can one protect DNS servers from remote attacks? Of course, absolute protection does not exist, but possible effect may be diminished. Of of the options is implementation of authentication and integrity of the information kept in DNS. To solve this problem on Internet the DNS system has been extended (extensions are called DNSSEC and are described in RFC-2535, RFC-2536, RFC-2537, RFC-2541, and RFC-3008). The main idea of DNSSEC is applying a digital signature to transferred data. To develop this concept, IETF created DNSSEC Working Group. Using DNSSEC doesn’t require a private key from the recipient, and this allows walking round the unsolvable problem of distribution of the private key among all the existing DNS servers on the Internet. It also helps to get rid of the problem of providing secure DNS traffic. However there is a price for the security – significant increase of the database for every zone and enhanced requirements for server CPU, which is required to perform encryption/decryption operations.

Another alternative is using special hardware and software. They include:

• Network traffic cipherer
• Hardware and software firewalls
• Secure network crypto-protocols
• IDS – Intrusion Detection Systems
• Software for security analysis
• Secure network OS

Whatever method or combination of methods a network administrator chooses, it is extremely important to monitor DNS servers for uptime and security holes. One of the easiest ways to be aware of a DNS server is hosted DNS monitoring service, which is offered by some commercial companies.

___

Popularity: 41%