T 3.104 Incorrect configuration of a DNS server

Security-critical default settings, self-configured security-critical settings or incorrect configurations may cause a DNS server to not function properly and its availability is thus restricted. Furthermore, incorrect configurations facilitate attacks on the availability and integrity of the DNS server. For security-critical configurations, the following aspects in particular are important:

DNS servers with superuser rights

Operating a DNS server with superuser rights facilitates effective attacks on the IT system. If an attacker succeeds in attacking a DNS server process, he/she can work with the rights of the DNS server process and access all other processes of this computer as well as compromise other computers in the network.

Recursive requests

There are two types of requests to a DNS server: iterative and recursive. For iterative requests, a DNS server only responds to requests if it has stored the desired information itself. This behaviour corresponds to an advertising DNS server. Otherwise, it refers to another DNS server. For recursive requests, a DNS server responds to all requests; this corresponds to a resolving DNS server. If the resolving DNS server itself has not stored the information, the server itself sends requests to other DNS servers in order to obtain the desired information. If a resolving DNS server is configured in such a manner that it accepts recursive requests without any restrictions, this can significantly impair the availability of the server due to the increase in the load. "Without any restrictions" in this case means that the resolving DNS server accepts recursive requests both from the internal LAN and from the Internet.

In addition, it is thus easier to perform cache poisoning attacks, as described in T 5.78 DNS spoofing for example. Basically, cache poisoning attacks work as follows: An attacker sends a recursive request to the resolving DNS server regarding domain information which this resolving DNS server has not stored. Then, the attacker tries to send a valid, manipulated response to the resolving DNS server. If a resolving DNS server accepts recursive requests only from its internal network, it will not resolve the attacker's request, but refer to the next responsible DNS server. Thus, the server is not at risk due to the attack described above. If the DNS server accepts recursive requests without any restrictions and/or if the attacker is within the company network, this server is potentially at risk.

Zone transfers

As DNS is required by many network services, certain parts of the domain name space are not managed by a single DNS server, but usually at least by two DNS servers. In order to synchronise these servers, so-called zone transfers are performed. If zone transfers are not restricted to authorised DNS servers, each host that is able to send a request to the DNS server can read all the domain information of these servers by means of a zone transfer. If someone carries out a zone transfer without authorisation, this does not constitute direct damage for the information system, but the data obtained can facilitate later attacks.

Dynamic updates

Dynamic updates allow updating of domain information in an automated manner. In connection with DHCP in particular, dynamic updates play an important role. If a host is assigned an IP address by the DHCP server, this information must also be updated in the domain name space. This process can be performed using dynamic updates. A misconfiguration of dynamic updates may cause the following problems:

Cryptography

To secure DNS, cryptography is often used. Errors in the configuration of the cryptographic keys, for example, result in connections being rejected or valid data being refused as invalid due to incorrect keys.

© Federal Office for Information Security. All rights reserved.