Keeping DNS Info from the Hands of Attackers


The Domain Name Service (DNS) has been an essential part of the World Wide Web since its inception. The DNS has increasingly become a repository for all kinds of data to support applications. Types of DNS resource records can be used to store host secure shell (SSH) key hashes and other RR types that identify mail servers for a domain.


And the more data a system holds, the more hackers want to get at it.


Recent additions to the DNS protocol to provide for authentication with public keys and hashes-commonly known as the DNS security extensions, or DNSSEC-have sweetened the pot of aspiring intruders.


The technical paper Minimizing Information Leakage in the DNS, from the National Institute of Standards and Technology, explores options for mitigating the threats implicit in the DNSSEC. The paper is available free to IT Business Edge members here in the IT Downloads library.


One option explored in the paper is NSEC3 resource record, a variation of the original DNSSEC resource record scheme. It was developed to add some obfuscation to the domain names in the NSEC RR to make zone enumeration a more difficult task, as you can see in the figure below.



Its format is identical to the NSEC RR but with hashed domain names (using a one-way hash function ). That way, a client can still determine that the query name does not exist (the hash of the query name falls in the span between the two hashed names provided), but not learn about any valid domain names that do exist in the zone.


The note goes on to conclude that the most direct solution is to have the DNS server generate an NSEC RR for each negative response that shrinks the span so that only the non-existent query name is covered.


Obviously, this is a highly technical paper. But its implications are serious. With the advent of IPv6, the data that can be found in DNS resource records are actually more important to hackers; it was a lot easier to scan IPv4 DNS blocks for data, so the distilled info found in names service databases is worth going after in the new addressing scheme.

Add Comment      Leave a comment on this blog post
Sep 16, 2011 12:29 PM Nicolas MATA Nicolas MATA  says:

Hi Ken

Just to let you know DNS is "Domain Name System" and not "Service" as mentioned in your article. Some people call DNS -> Domain name server.

I twitted your article @domainrising




Post a comment





(Maximum characters: 1200). You have 1200 characters left.




Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.