NIST unveils tool to foil attacks via DNS

Recent exploits aimed at compromising specific hosts

Network researchers at the National Institute of Standards and
Technology (NIST) have unveiled a method that federal systems
administrators can use to protect their systems from increasingly
complex attacks launched via the Domain Name System (DNS) of the
Internet and private IP networks.

DNS has long been a critical function of the Internet and
private IP networks, but one that tended to operate somewhat
incognito. That may be changing as more complex network attacks
targeted at DNS emerge.

In a recently published paper, authors Scott Rose and Anastase
Nakassis, writing under the auspices of NIST and the Homeland
Security Department's Science and Technology Directorate, contend
that DNS security extensions (DNSSEC) originally intended to
protect DNS zone data contain an unintended side effect that
facilitates an attack precursor called 'zone enumeration.'

Attackers use DNSSEC responses to determine the Resource Records
(RR) in a DNS zone, and then launch attacks more quickly against
specific hosts in the zone. The attack potential gets worse when
DNS host names give hints to the content, application or operating
system, and consequently the vulnerabilities, that reside on the
hosts. Rose and Nakassis added that the security or privacy
concerns of intercepting information in newer DNS RRs go beyond an
attacker simply identifying the host IP address and name.

The authors state that zone enumeration is possible without the
help of DNSSEC. They cautioned that such traditional methods often
become impractical because they rely on time-consuming or
processor-intensive brute force techniques often thwarted by
intrusion detection systems.

The authors also describe several techniques that allow networks
to reap the intended authentication and integrity benefits of
DNSSEC while 'reducing DNS information leakage.' These
techniques are important because, as DNS becomes more and more
vital to network operation, the need to protect it with techniques
offered by DNSSEC increases.

As federal agencies continue to deploy IPv6 technology, DNS will
move from its current critical-but-inconspicuous status to the
forefront, the NIST analysts said. The spread of IPv6 will generate
a demand for network protection methods that are as secure as they
are robust. The enormous IPv6 address size makes memorization
impractical and address-to-hostname mapping vital, Internet
specialists agree. Address subnet scanning becomes all but
impossible in the IPv6 environment. As a result, DNS zone data
becomes much more desirable to intercept and decipher as a prelude
to launching an attack.

The techniques described by the NIST scientists likely hold
forth the promise of improving DNSSEC authentication and integrity
protection, so as to shield DNS zones and foil attempts to
compromise data.

Reader Comments

Sat, Mar 7, 2009 Kevin

If the government realy wants to use its massive resource of people to protect its data, we need to stop talking symbolic lingo, and move more towards the actual understanding of what the electical signals are doing. The OSI layer model is an example of where reality seperates to symbolism.(A Huge mistake.) There are no layers, but pulses that control communications. a burst is positive, no burst is negative. It is the number of bursts that tell hardware when to open a switch and let the signals in. If we keep going out into a land of symbolism, and the attackers are looking at the physical reality, we will lose the battle. The data presentation, ect. needs to go in the trash. I only confuses as it has nothing to do with reality.

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above