DNSSEC: Security for Essential Network Services: Page 4
What Can I Do Now?
You can turn on DNSSEC today if you have BIND 9. You need to distribute the keys to your upstream provider (provided they support it as well). The majority of the implementations so far have been on military networks, so you are unlikely to have access to those servers. There are things you can do in the meantime to minimize your vulnerability to attack while the top-level Internet community finalizes the specifications and works out the deployment bugs.
Cricket Lui has created a handy check list to help you:
- Get educated -- buy one of the many good books on DNS or take a class on DNS
- Review your name servers' configurations and the contents of your zones
- Use publicly available tools such as dnswalk
- Eliminate single points of failure in your DNS infrastructure
- Make sure your name servers are authoritative for the reverse mapping zones that correspond to all of your networks
- Minimize the burden you place on "high-level" name servers (such as the roots)
- If you use RFC 1918 address space, set up the corresponding zones on your name servers
- Make sure your firewalls allow DNS messages from port 53 to high-numbered ports on your name servers, or you won't get responses
- If you use Active Directory or Windows 2000/Windows XP's network registration features, make sure that your dynamic update and query traffic remain local
- Your name servers must be authoritative for a zone with the same name as the name of your Active Directory domain
In today's ultra security-conscious environment, an inherent security vulnerability is an open invitation to intrusions from harmless -- and not so harmless -- hackers. DNS has been a potential security hole since it was first developed and widely deployed, long before anyone took network and computer security seriously, but until recently, not much had been done to patch the vulnerabilities in DNS. IETF's new DNSSEC standard is the first step in the long process toward completely securing DNS and should be able to help improve the overall security of the Internet if its problems with trust, lack of tools, and packet size can be overcome.
http://www.dnssec.net/ - The official DNSSEC website with all the resources on this subject in a nicely organized fashion
http://www.ietf.org/internet-drafts/draft-ietf-dnsext-dns-threats-02.txt - A recent analysis of the security threats against DNS
http://www.ietf.org/internet-drafts/draft-ietf-dnsext-dnssec-intro-05.txt - The IETF draft of the DNSSEC protocol
http://www.isc.org/products/BIND/bind-security.html - A list of the known vulnerabilities in BIND and their patches.
http://www.cert.org/advisories/CA-2002-19.html - Buffer overrun vulnerabilities and patches
http://www.icann.org/committees/security/dns-security-update-1.htm - ICANN committee report on DNS vulnerabilities
http://cyber.law.harvard.edu/icann/mdr2001/archive/pres/lewis.html - Paper on DNS Security Vulnerabilities