How to Secure Your Network from Kaminsky's DNS Cache Poisoning Flaw - Page 2

DNS security starts with the DNS server

The DNS server is best equipped to deal with DNS threats since it is where all the DNS intelligence resides. The following are four capabilities that are necessary to protect the DNS. It is worth investigating the capabilities of your DNS server to make certain all of these defenses are available and enabled.

Defense No. 1: UDP source port randomization (UDP SPR) was specified by key DNS vendors as the initial response to the Kaminsky attack. Randomizing the UDP source port used in a query makes it harder for an attacker to guess the query parameters in a fake answer. Although UDP SPR is a useful defense, there is widespread concern that it is not an adequate long-term response to cache poisoning.

In addition, Network Address Translation (NAT), firewalls, load balancers and potentially other devices in the network may de-randomize UDP source ports, thus rendering this protection less effective. For these reasons, it is essential that other defenses are available and enabled.

Defense No. 2: A secure mode of DNS operation when a potential attack is detected is another useful defense. The DNS server should be able to switch from a UDP to a TCP connection when mismatched query parameters are observed (a sign an attack may be underway). This allows an attacker only one chance to send a fake DNS answer for each fake DNS question, which both slows the progress of an attack and significantly reduces the probability of success (potentially by hundreds of times).

Defense No. 3: The single most important defense provides protection when an attacker gets lucky and correctly guesses query parameters, thus beating other defenses. This defense screens DNS query responses and discards potentially harmful information in the response, such as additional information that delegates DNS answers to a server that is controlled by the attacker. This protects the DNS server in ways a firewall, IPS or any other external device cannot.

Defense No. 4: The last defense to enable is alerting IT of unusual DNS activity and providing specific details so remedial action can be taken.