BRKSEC-2071 Securing DNS Wednesday, February 1: 08:45
This was an excellent presentation mainly because there was hardly any powerpoint slides shown though 90 are available for review and download. It was also very brave of the presentor to demonstrate live an attack against dns which clearly demonstrated the issues duscussed in the session.
The issue is that by design dns is insecure and is a semi forgotten service in the network. What an attacker can do is poison a clients dns cache. it is difficult just to wait for a client to issue a dns request and then spoof the answer. what an attacker can do is force a dns server to carry out a recursive lookup for a fake site then answer with a cnane in dns as aproxy for any site.
this means blasting the dns server with all the port combinations and message id. In the demo it took seconds however under worst case scenarios it coukd inly take 11 hours the important aspect is that it can be done whatever.
the solution is signing ideally at all levels of the dns hierarchy. ths solution is called dnssec. it is only untill recently that this has been undertaken and todate nowhere nearly fully adopted. for example cisco do not sign at thie com level.
other issues discussed where dos attacks. dns requests are small typicaly 60bytes replies can be an order of 68 times more. achieved through spoofing.
Supporting Links Register with Cisco Live 2012 its free and gives you access to all the PDF's
