DNS: Definitely Not Safe?

Security of DNS servers is an issue for network operators, thus pertaining to NANOG on-topics. This article shows a security-officer view of the recent DNS attacks.

"Despite well-publicized attacks on domain name servers in 2000 and 2001, evidence suggests that many companies simply have not taken the steps necessary to protect this vital part of their networks. Experts differ on just how much danger companies generally face. However, they seem to agree that, depending on the circumstances and the company, the results could include electronic attacks and unknowingly providing confidential information to competitors."

MARLON BORBA wrote:

Security of DNS servers is an issue for network operators, thus pertaining to NANOG on-topics. This article shows a security-officer view of the recent DNS attacks.

"Despite well-publicized attacks on domain name servers in 2000 and 2001, evidence suggests that many companies simply have not taken the steps necessary to protect this vital part of their networks. Experts differ on just how much danger companies generally face. However, they seem to agree that, depending on the circumstances and the company, the results could include electronic attacks and unknowingly providing confidential information to competitors."

I am not shure wether the author isn't walking beside his shoes.

DNS is like a telephone book.

Yes it is dangerous to have your telephone number listed in
a publicly available book. We should forbid telephone books
and the world would me much safer?

If you are afraid of people using axfr to slave a nameserver
then dont publish it. Use /etc/hosts not DNS and best dont
tell anybody your ip-address.

In some places (Africa ?) root-servers may be difficult to
see, so why not clone them and have the root on your local
network? If they are attacked again - no problem. Your
personal root-server will survive at least a month without
them. Of course you need axfr transfers to do that.

I dont know how you can use axfr transfers to DoS somebody
else but yourself. It is a tcp connection after all. You
need to be connected. Overloading electricity supply like
the NSA tries to do is a lot more efficent.

Rests recursive nameservers, resolvers. Yes, that could
help. Forbid all publicly available resolvers including
those of your ISP then attackers, mostly running windows
in their botnets will not find their targets any longer.

The big problem is IT-personal relying on windows for
their backbones. You cannot help them, only an attack
can.

I remember companies used to run their own internal
nameservers. Why dont they do it any longer? DNS has
become so much more relyable that they dont need to.

Kind regards
Peter and Karin

a message of 21 lines which said:

Security of DNS servers is an issue for network operators, thus
pertaining to NANOG on-topics. This article shows a security-officer
view of the recent DNS attacks.

It may be on-topic but it is full of FUD, mistakes and blatant
b...t. Certainly not the recommended reading for the sysadmin.

The best stupid sentence is the one asking firewalls in front of the
DNS servers... to prevent tunneling data over DNS!

bortzmeyer@nic.fr (Stephane Bortzmeyer) writes:

It may be on-topic but it is full of FUD, mistakes and blatant
b...t. Certainly not the recommended reading for the sysadmin.

i think you're being way to kind here.

The best stupid sentence is the one asking firewalls in front of the
DNS servers... to prevent tunneling data over DNS!

just as the most common lie told by spammers is "dear friend", so it is
that the biggest error in this piece is in the first sentence:

  When it comes to the Web's domain name system (DNS),

this guy was probably writing netware-vs-smb comparisons during the two
decades that the internet existed before the web came along. the web is
an internet application, and the dns is part of the internet, not part of
the web. the rest of the article is equally horrific in its maltreatment
and ignorance of facts.

It's an article in a CxO type magazine.... did anyone really expect
anything better?

-Jim P.