DNS 安全威胁

对DNS的攻击方式主要包括三大类，

• 流量型拒绝服务攻击，如UDP flood、TCP flood、DNS请求flood，和PING flood等。
• 异常请求访问攻击，如超长域名请求、异常域名请求等，这类型攻击的特点是通过发掘DNS服务器的漏洞 ，通过伪造特定的请求报文，导致DNS服务器软件工作异常而退出或崩溃而无法启动，达到影响DNS服务器正常工作的目的
• DNS劫持攻击，如篡改LDNS缓存内容、篡改授权域内容、ARP欺骗劫持授权域、分光劫持等，这种类型攻击的特点是通过直接篡改解析记录或在解析记录传递过程中篡改其内容或抢先应答，从而达到影响解析结果的目的

 

威胁发生地方

NumberAreaThreat(1)Zone FilesFile Corruption (malicious or accidental). Reading private zone files, configuration files and logs to expose hidden devices. Local threat. Mitigated by good System Administration practices.(2)Zone TransfersIP address spoofing (impersonating update source), DDoS attacks (persistent requests for transfer). Server to Server threat. Mitigated by either IP address limits or cryptographic solutions using TSIG (shared secret MAC).(3)Dynamic UpdatesUnauthorized Updates, malicious updates, IP address spoofing (impersonating update source). Server to Server Threat. Mitigated by either IP address limits or cryptographic solutions using either TSIG (symmetric-like MAC)or SIG(0) (an asymmetric).(4)Remote QueriesCache Poisoning/Pollution by IP spoofing, data interception or a subverted Master or Slave. DDoS attacks based on Open Resolvers and other configuration errors. Zombied or virus compromised PC or server. Server to Client threat. Mitigated by either IP address limits or cryptographic solutions using DNSSEC (asymmetric cryptography).(5)Resolver QueriesData interception, Poisoned/Polluted Cache, subverted Master or Slave, local IP spoofing. Increasingly remote devices use a DNS proxy which can either be compromised, badly configured or poorly implemented. Remote Client-Client threat. Mitigated by end-to-end cryptographic solutions using DNSSEC (asymmetric cryptography).

如上所述，威胁发生在DNS解析的所有途径，客户解析器与localDNS之间；local DNS缓存；local DNS与授权DNS之间；primary DNS与Secondary DNS之间；授权DNS数据库、远端管理平台。各个层面都需要考虑安全。