In this paper we shall examine some of the most basic threats to the domain name
system as it exists today, and make suggestions where possible to reflect best
practices that should be observed to eliminate, or at worst, lessen the impact
of potential threats. We limit our discussion to solutions that reflect relatively
simple changes that administrators can make without drastically overhauling their
existing infrastructure, although we touch briefly on DNSSEC and next-generation
solutions merely to note that they exist.
We will not focus on implementation problems with particular instances of DNS
servers/daemons but instead spend our time discussing practical security threats
inherent to the architecture itself. Accordingly, we will leave exploitation
of buffer overflow vulnerabilities in certain versions of a very popular name
server daemon out of scope for this discussion. Such security hazards are extremely
well documented elsewhere.
This document is in pdf format. To
view it click here.