S 4.96 Deactivating DNS
Initiation responsibility: IT Security Officer, Head of IT
Implementation responsibility: Administrator
An Internet server normally does not need a DNS (Domain Name System) in order to provide information unless email is sent via the server, although this is not advisable (see also S 4.97 One service per server). On most web servers, DNS is only used to enter the names of computers in the respective log files instead of their IP addresses. The conversion of the IP addresses to computer names can also be performed later when analysing the log files. Handling the log files is slightly more difficult in this case, but the trustworthiness of the logged data increases. This is because the assignment between a given IP address and a computer name is neither unique nor static. Not using DNS also provides additional protection against DNS spoofing (see S 5.59 Protection against DNS spoofing in authentication mechanisms) and often increases the performance of the Internet server.
The following scenarios point out the possible negative effects of DNS:
An attacker possesses his/her own domain containing a test PC. This test PC is simultaneously also the DNS server for this domain. Using the test PC, the attacker establishes a connection to an Internet server. At the start of the connection request, the Internet server only knows the IP address of the test PC and tries to obtain the computer name of the test PC via DNS. To this end, the operating system must establish a connection to a DNS server, which in turn must obtain the data from the test PC, since the test PC is also the DNS server for the attacker's domain. In this case, instead of replying to the DNS server of the Internet server, the attacker can send any reply directly to the Internet server itself (using IP spoofing, see T 5.78 DNS spoofing). This way, the attacker is not only able to send data to the actual DNS server, but also directly to the Internet server. Any existing errors in its operating system could be exploited this way.
Note: If, for example, only a certain domain is allowed to access a web server, for example only the *.de domain, it is necessary to use DNS. However, such access protection is very weak and therefore not recommended.
Review questions:
- Was the option of deactivating DNS taken into consideration?