Additional defenses with routers, firewalls and IPS
In the first step of the Kaminsky attack, fake questions are sent to a caching server. To succeed at sending fake questions, an attacker needs to spoof an address on the enterprise network. Firewalls and routers can be configured to provide excellent protection against external users spoofing an internal IP address. Keep the following in mind:
1. Be sure to configure the firewall rules, router Access Control Lists (ACLs) or Reverse Path Forwarding (RPF) check to prevent external users from spoofing an internal IP address. This will block external users from initiating internal, recursive DNS queries.
2. Another important consideration is verifying that firewalls in the path of the DNS server do not de-randomize the UDP source ports used in DNS queries coming from the caching DNS server out to the Internet. There may be configuration options on the firewall or it may be necessary to contact the vendor. This is important because one of the defenses against the Kaminsky attack relies on random UDP source ports.
IPS is another important part of the security equation and provides an additional layer of defense. IPS looks at application data flows and detects threats based on algorithms that detect anomalous behaviors and send alerts.
3. Sending multiple fake responses to the caching name server will increase the chances of a successful cache poisoning attack. IPS signatures can detect anomalous DNS packet rate behavior, and vendors are responding with features that will make it simple to implement such signatures. This will regulate the number of fake response packets to the DNS server.
4. Both firewalls and IPS to should be configured to send alerts to a Security Information and Event Management (SIEM) server or management server when they see multiple fake responses from a single source to a DNS query. This will help in alerting and remediation against cache poisoning attacks.
Properly implementing a defense-in-depth approach that includes a combination of firewalls, IPS and intelligent DNS servers with layers of defense will provide total protection against DNS cache poisoning.