NIST unveils tool to foil attacks via DNS
Recent exploits aimed at compromising specific hosts
- By Dan Campbell
- Mar 25, 2008
Network researchers at the National Institute of Standards and
Technology (NIST) have unveiled a method that federal systems
administrators can use to protect their systems from increasingly
complex attacks launched via the Domain Name System (DNS) of the
Internet and private IP networks.
DNS has long been a critical function of the Internet and
private IP networks, but one that tended to operate somewhat
incognito. That may be changing as more complex network attacks
targeted at DNS emerge.
In a recently published paper, authors Scott Rose and Anastase
Nakassis, writing under the auspices of NIST and the Homeland
Security Department's Science and Technology Directorate, contend
that DNS security extensions (DNSSEC) originally intended to
protect DNS zone data contain an unintended side effect that
facilitates an attack precursor called 'zone enumeration.'
Attackers use DNSSEC responses to determine the Resource Records
(RR) in a DNS zone, and then launch attacks more quickly against
specific hosts in the zone. The attack potential gets worse when
DNS host names give hints to the content, application or operating
system, and consequently the vulnerabilities, that reside on the
hosts. Rose and Nakassis added that the security or privacy
concerns of intercepting information in newer DNS RRs go beyond an
attacker simply identifying the host IP address and name.
The authors state that zone enumeration is possible without the
help of DNSSEC. They cautioned that such traditional methods often
become impractical because they rely on time-consuming or
processor-intensive brute force techniques often thwarted by
intrusion detection systems.
The authors also describe several techniques that allow networks
to reap the intended authentication and integrity benefits of
DNSSEC while 'reducing DNS information leakage.' These
techniques are important because, as DNS becomes more and more
vital to network operation, the need to protect it with techniques
offered by DNSSEC increases.
As federal agencies continue to deploy IPv6 technology, DNS will
move from its current critical-but-inconspicuous status to the
forefront, the NIST analysts said. The spread of IPv6 will generate
a demand for network protection methods that are as secure as they
are robust. The enormous IPv6 address size makes memorization
impractical and address-to-hostname mapping vital, Internet
specialists agree. Address subnet scanning becomes all but
impossible in the IPv6 environment. As a result, DNS zone data
becomes much more desirable to intercept and decipher as a prelude
to launching an attack.
The techniques described by the NIST scientists likely hold
forth the promise of improving DNSSEC authentication and integrity
protection, so as to shield DNS zones and foil attempts to