T 2.152 Lack of, or inadequate, planning of the use of DNS

If planning the use of DNS is neglected, such neglect can result in problems and security gaps during live operation. Numerous network services and applications require DNS in order to function properly. Thus, DNS is needed by communication partners in order to find out the IP address of a recipient's e-mail server. If the DNS servers are not accessible, these services cannot be used or can only be used to a limited extent. In the worst case, a security gap caused by poor planning can result in the DNS servers becoming compromised.

DNS server infrastructure

The availability and performance capability of DNS servers depends, amongst other things, on the distribution in the network. Problems which might arise from planning the infrastructure inadequately include:

• Incorrect arrangement of DNS servers:
  
  Generally, when a domain name is registered, at least two servers which are used as advertising DNS servers (see S 2.450 Introduction to DNS basics) for this domain are specified. If these two advertising DNS servers are within the same network segment, it is possible that the failure of the gateway connecting this segment with the rest of the network causes the name resolution of the entire domain to fail. Finally, this means that it is no longer possible to access services such as web servers, e-mail and even remote administration access.
• Long response times:
  
  If the performance capacity of the advertising and/or resolving (see S 2.450 Introduction to DNS basics) DNS servers or the bandwidth of the network has not been dimensioned sufficiently, this often results in long response times or timeouts. If there is no prioritisation of the network traffic, it can happen that unimportant network traffic and network traffic that is not time-critical places excessive demands on the bandwidth.
• Distance:
  
  The more network components are between a DNS server and the requesting hosts, the more often the packets must be processed. This increases the response time and unnecessary load is placed on the network.

Unsuitable DNS server software

Outdated and/or less tested software often contains known software vulnerabilities that may be exploited by malicious software (malware). Thus, the risk of successful attacks increases significantly.

In addition, problems can occur if the same software is used for all DNS servers. If, in this case, a DNS server is compromised due to a software vulnerability, this gap can be exploited on any other DNS server. If an information system, however, intends to use different DNS server software components, there is a risk of them only being compatible to a limited extent. In addition, this leads to an increase in the time and effort required for administration.

DNS servers and security gateways

The planning of the DNS servers has an effect on the configuration of security gateways and packet filters. If the rules allowing DNS traffic in the network are defined too generously, this might make an attack possible under certain circumstances. However, if the rules have been formulated too restrictively, legitimate clients might not be able to send requests to the DNS servers and are impaired when using services such as e-mail, FTP or the like.

Division of the name space

The domain information on the name space of an information system contains all information on the structure of the internal network. Often, making all the information accessible to the general public is not desired. For this purpose, the name space can be divided into an internal (resolving DNS server) and a publicly accessible (advertising DNS server) area. If such division is not taken into account when planning the use of DNS, problems as described in T 5.154 DNS information leakage might arise.

Cryptography

DNS can be protected using cryptographic mechanisms, for example using TSIG (Trusted Security Transaction Group) and DNSSEC (DNS Security). Like for any cryptographic applications, the cryptographic keys are secret material. If these keys are published, these cryptographic mechanisms no longer ensure any protection. If the planning does not include clear rules as to what extent cryptography is to be used, such lack of clarity can, amongst other things, cause the following problems:

• The field of application of individual mechanisms such as TSIG and DNSSEC was not specified. Thus, it is not clear if and, if so, between which partners unencrypted e-mail communication is allowed.
• The access rights to the files containing the cryptographic keys are defined too generously. Thus, each user who has logged in on the computer can read and change the files.
• The exchange of the keys was not planned; thus, the keys are transmitted using unprotected network connections.

Examples:

• In 2001, the domain of a large software company was practically brought to a standstill for several hours. This was caused by a distributed denial-of-service attack on the router connecting the DNS servers for the domain with the Internet. Any DNS-based communication was stopped. Only computers whose resolvers had buffered the required domain information could establish a connection.