DNS security best practices to prevent DNS poisoning attacks

DNS cache poisoning is a threat to any Internet-connected enterprise. Learn how the attack method works and potential mitigation strategies in this thesis from Richard Agar of Royal Holloway University London.

Though the global reliance on the Internet might lead one to believe otherwise, the worldwide Internet infrastructure is based on some fragile foundations.

When users type in the URL of their favourite website, they expect the address to take them straight to the correct server, wherever it happens to be. That process of translating the URL into a specific IP address is carried out by a small collection of Domain Name System (DNS) servers. The problem is that, if anyone managed to tamper with the DNS server -- or 'poison' it -- then users could not be sure they were being directed to the right website.

(.pdf) by Richard Agar and Kenneth Paterson.

In August 2008, researcher Dan Kaminsky demonstrated that the DNS server protocols were vulnerable to DNS poisoning attacks, sparking debate over how the situation could be rectified. So what is to be done?

The problem -- and some potential solutions -- are explored in a new article, DNS security: Poisoning, attacks and mitigation by Richard Agar and Kenneth Paterson as part of the 2010 Royal Holloway University of London (RHUL) series.

The article summarises Agar's MSc thesis: MSc graduates of Royal Holloway, University of London (RHUL).

It explains how the DNS system works, as well as the details of the Kaminsky discovery. It then goes on to look at various ways in which the DNS infrastructure could be better protected, and offers some suggestions for DNS security best practices.

About the authors:
Richard Agar started in the IT industry in 1999 working at Nortel Networks, where he developed an interest in information security. He has recently completed the Masters degree in information security at Royal Holloway, and is now working for intrusion prevention specialists TippingPoint, part of HP, as a senior systems engineer.

Professor Kenneth Paterson has researched interests in theoretical and applied cryptography, network and mobile security, and coding theory and mathematics of communications.

This article is based on a thesis written in the Information Security Group at Royal Holloway University of London. It is one of nine that ComputerWeekly is publishing exclusively in 2010 as part of its close collaboration with RHUL, which is in its third year.

Read more on Hackers and cybercrime prevention