dns cache poisoningdns cache poisoning has a lot of webmasters needlessly worried lately about the dns servers that are authoritative for their sites. In particular, they are worried that making recursion available on their dns servers will result in highjacking through dns cache poisoning. They are running dns tests offered by public dns testing services and seeing warnings that the authoritative dns server being tested offers recursion. Recursion is one of the routes used for dns cache poisoning. However, dns cache poisoning of a dns server has no effect on the ability of a dns server to properly respond to requests for dns records of zone for which it is authoritative. The misdirection is happening before the name resolution process ever reaches the authoritative dns server. Disabling recursion for a site's authoritative dns name server will not prevent this type of highjacking. In order for visitors to be misdirected to a substitute server by dns cache poisoning the dns servers used directly by consumers or the dns servers upstream from those servers must be highjacked. In most cases the dns servers used by consumers are the caching dns servers maintained by isp's for their subscribers. It is at this level where the effects of dns cache poisoning are applied. Note that these are generally not the authoritative dns name servers for your particular zone. The goal of dns cache poisoning is to misdirect requests for dns records to rogue dns servers. The effect of dns cache poisoning is to bypass the authoritative dns name servers for a dns zone. Somewhere along the line a requesting dns server has to be told that the authoritative dns name server for a dns zone is at a location other than what it should be. This is external to the authoritative dns name server and something that the real authoritative dns name server will never do. The caveat is that this presumes that the NS and SOA records as configured on the real authoritative dns name server are correct. But, recursion has nothing to do with this. If a webmaster has verified the correctness of the records and made sure the records are protected from change, then everything that can be done has been done. By doing this, the administrator is ensuring that the correct dns record information is served up when requested of the authoritative dns name server. Now, if the rest of the internet dns gets corrupted, through cache poisoning or other means, there is nothing you can do about it directly. At this point, the authoritative dns name servers are being bypassed. An administrator who chooses to turn off recursion should carefully consider the consequences. Any computer depending on the dns server being modified for outbound connections must be configured to use alternate dns servers for name resolution. For example, if the web server also has a mail server that is used to send outbound email, it will not be able to send email until it is able to look up mx records for outbound email. Make sure you consult with the tech staff at your hosting company before doing this. They may have alternate caching dns servers for you to use with outbound services. The bottom line is that the warning messages seen at dns testing sites, such as recursion being turned on, are of a informational nature. The tests have no knowledge of the usage of the dns server being tested. It is the responsibility of the reader to interpret the meaning and applicability of such messages in their own circumstances. It is also true that a dns server offering recursion is not automatically subject to cache poisoning. It depends on whether the dns server software being used is subject to cache poisoning through recursion. The only thing that is going to happen if the cache of your authoritative dns server gets poisoned is that outgoing email might be misdirected, or if you are in the habit of using them from your workstation as client dns settings, then your browser or ftp client might get highjacked. in other words, at the most, you risk trying to ftp proprietary source code to the wrong box. Note: For users of Windows DNS Services, Windows 2000 has had cache poisoning prevention turned on by default since SP3. This capability can be turned on in any Windows server version since NT4 via a registry setting.
© 2006, all rights reserved
|