The soft chewy center of the Internet
DNS Attacks

Are your systems secure against DNS attacks? We'll show you why they matter and help you determine whether you are vulnerable.
Like most of the original protocols on which the Internet is based, the original design decisions that led to their popularity and success are now coming back to haunt us with security problems.
Keep in mind that when the Internet was originally created, it was a relatively small, well-connected community. Security was not particularly high on the list of concerns – just getting it to work and do useful things was amazing enough.
Why DNS Attacks Matter
As I'm sure you know, DNS provides one of the fundamental infrastructure services on the Internet – specifically, the translation of human-readable names such as http://www.linux-magazine.com to an IP address such as 80.237.227.148.
This service is important because it allows a static name to be registered, but the underlying service(s) can be at arbitrary locations and can be created or moved easily. For example, I outsourced my email for seifried.org to Google's Gmail.
DNS Dependent
Thus, you rely on DNS almost every time you use another protocol or service, including email, the web, instant messaging clients, VOIP, etc. If attackers could initiate hostile actions, such as redirecting http://www.your-bank.com to their server, they would be able to execute any number of attacks, such as spoofed web sites, reading your incoming and outgoing email, and so forth.
Why DNS Is Fast (and Insecure)
One of the best decisions was to make DNS an extremely lightweight and fast protocol. The majority of requests and replies use the UDP protocol, which is stateless and similar to sending an SMS text message. (Larger replies might result in a TCP-based session.)
So, you are limited in how much data you can send, and you won't know whether the remote end receives it or replies; you're just left waiting for a reply.
A UDP packet is about as simple as it gets – you have the basic address information (source and destination IP address and ports) and packet information (packet type, length, checksum, data).
UDP has no significant security mechanism to ensure that the packet came from the machine it claims to be from or that it is part of a legitimate transaction, which is good for speed.
If you fire off a query, you just hope a reply gets sent back, allowing DNS servers to handle high volumes of requests. In fact, in 2007, it was on the order of 4 billion requests per day for root-level servers.
Buy this article as PDF
(incl. VAT)
Buy Linux Magazine
News
-
Titan Linux is a New KDE Linux Based on Debian Stable
Titan Linux is a new Debian-based Linux distribution that features the KDE Plasma desktop with a focus on usability and performance.
-
Danielle Foré Has an Update for elementary OS 7
Now that Ubuntu 22.04 has been released, the team behind elementary OS is preparing for the upcoming 7.0 release.
-
Linux New Media Launches Open Source JobHub
New job website focuses on connecting technical and non-technical professionals with organizations in open source.
-
Ubuntu Cinnamon 22.04 Now Available
Ubuntu Cinnamon 22.04 has been released with all the additions from upstream as well as other features and improvements.
-
Pop!_OS 22.04 Has Officially Been Released
From the makers of some of the finest Linux-powered desktop and laptop computers on the market comes the latest version of their Ubuntu-based distribution, Pop!_OS 22.04.
-
Star Labs Unveils a New Small Format Linux PC
The Byte Mk I is an AMD-powered mini Linux PC with Coreboot support and plenty of power.
-
MX Linux Verison 21.1 “Wildflower” Now Available
The latest release of the systemd-less MX Linux is now ready for public consumption.
-
Microsoft Expands Their Windows Subsystem for Linux Offerings With AlmaLinux
Anyone who works with Windows Subsystem for Linux (WSL) will now find a new addition to the available distributions, one that’s become the front-runner replacement for CentOS.
-
Debian 11.3 Released wIth Numerous Bug and Security Fixes
The latest point release for Debian Bullseye is now available with some very important updates.
-
The First Alpha of Asahi Linux is Available
Asahi Linux is the first distribution to fully support Apple Silicon and is now available for testing.