DNS Attacks

Notes:

The Domain Name System (DNS) is the core directory service for the Internet. Clients and servers generally place great trust in the information provided. For example the Berkeley r-commands trust certain hostnames without need for further authentication. When a packet is received by one of the services the IP address checked, this may involve a reverse DNS lookup to determine the hostname. The hostname is then compared with the trusted host names stored in tables. DNS can normally be trusted, however on some implementations it is possible to load the cache with bogus entries. These will be used in preference to the information provided by the real server. Of course DNS should ignore any information that it hasn’t specifically requested.
DNS can also cause problems when implementing client security. An interesting bug was discovered by the Princeton team researching Java applet security. To avoid Trojan horses Java will only permit an applet to connect to the originating Web server and generally does not allow local reading or writing to disk. However the IP address of the originating server is found by looking up the hostname used in the original request. This will refer back to the hacker’s DNS server. The hacker can put an entry giving the IP address of an internal system. The applet can then connect directly to this internal system.
These attacks are prevented by double reverse lookups. Basically the hostname or IP address is resolved, then this data is checked to make sure the two correspond.
DNS also provides a rich source of information about internal systems. The WKS and HINFO records give useful details about services and operating systems. This information is valuable when exploiting implementation bugs and for social engineering. DNS servers can be queried recursively (nslookup provides the ls command for this purpose) or by zone transfers. It is therefore essential to run internal and external servers. The external server should only provide limited information about the bastion hosts.