Recent additions to the world’s most popular DNS server help to insure that DNS spoofing-based attacks will become a thing of the past. Find out how to beef up security on your network.
Like most Internet protocols, the Domain Name System (DNS) began its life without many built-in security mechanisms. DNS is, after all, a global, public naming service, so you don’t normally care who queries your name server for data in the zones that you are responsible for maintaining.
The Unix world (including Linux) generally used BIND, the Berkeley Internet Name Domain software, to handle the resolution of domain names to IP addresses (and vice versa). Microsoft has its own implementation of a domain name server, first included in Windows NT 4.0 and now shipped in Windows 2000. While neither BIND nor the Microsoft DNS Server were particularly secure, BIND was open source and evolved quickly to include new security mechanisms for countering the malicious attacks that became more prevalent when DNS’s vulnerabilities were realized.
One of those security mechanisms, first introduced in BIND 8.2, was TSIG (Transaction Signatures). Later, Microsoft released Windows 2000, which uses a dialect of TSIG to secure dynamic updates between Windows 2000 clients and name servers. (Unfortunately, this isn’t a dialect spoken by BIND yet, and it’s not clear which version will support it. For more information on running BIND in a mixed environment, see the article “The Ties That BIND” (http://www.linux-mag.com/2001-03/bind_01.html) in the March 2001 issue of Linux Magazine.) BIND 9 supports TSIG even more completely, allowing administrators to secure almost any communication between two name servers. The techniques in this…
Please log in to view this content.
Not Yet a Member?
Register with LinuxMagazine.com and get free access to the entire archive, including:
