S 5.59 Protection against DNS spoofing in authentication mechanisms

Initiation responsibility: Head of IT, IT Security Officer

Implementation responsibility: Administrator

A threat from DNS spoofing during authentication can arise where authentication is effected using a computer name. This should be made more difficult by one (or a combination) of the following configuration settings:

1. IP addresses should be used, not host names.

2. If host names are used, they should all be resolved locally (entries in the file /etc/hosts).

3. If host names are used but they cannot be resolved locally, all names should be resolved directly by a DNS server which acts as primary or secondary DNS server, i.e. stores the names permanently instead of in a temporary cache.

Option 1 provides the highest security, option 3 the least. The aim of the above configuration settings is to protect the assignment between IP addresses and computer names against manipulation. If name resolution cannot be performed directly, so that a cache is interposed, then under no circumstances should host-based access be allowed via a host name.

Review questions:

• Has it been ensured that no host names are used in host-based authentication mechanisms?