In this paper we shall examine some of the most basic threats to the domain name system as it exists today, and make suggestions where possible to reflect best practices that should be observed to eliminate, or at worst, lessen the impact of potential threats. We limit our discussion to solutions that reflect relatively simple changes that administrators can make without drastically overhauling their existing infrastructure, although we touch briefly on DNSSEC and next-generation solutions merely to note that they exist.

We will not focus on implementation problems with particular instances of DNS servers/daemons but instead spend our time discussing practical security threats inherent to the architecture itself. Accordingly, we will leave exploitation of buffer overflow vulnerabilities in certain versions of a very popular name server daemon out of scope for this discussion. Such security hazards are extremely well documented elsewhere.

This document is in pdf format. To view it click here.