An advanced Domain Name System (DNS) security resource that explores the operation of DNS, its vulnerabilities, basic security approaches, and mitigation strategies
DNS Security Management offers an overall role-based security approach and discusses the various threats to the Domain Name Systems (DNS). This vital resource is filled with proven strategies for detecting and mitigating these all too frequent threats. The authors--noted experts on the topic--offer an introduction to the role of DNS and explore the operation of DNS. They cover a myriad of DNS vulnerabilities and include preventative strategies that can be implemented.
Comprehensive in scope, the text shows how to secure DNS resolution with the Domain Name System Security Extensions (DNSSEC). In addition, the text includes discussions on security applications facility by DNS, such as anti-spam, SPF, DANE and related CERT/SSHFP records. This important resource:
* Presents security approaches for the various types of DNS deployments by role (e.g., recursive vs. authoritative)
* Discusses DNS resolvers including host access protections, DHCP configurations and DNS recursive server IPs
* Examines DNS data collection, data analytics, and detection strategies
With cyber attacks ever on the rise worldwide, DNS Security Management offers network engineers a much-needed resource that provides a clear understanding of the threats to networks in order to mitigate the risks and assess the strategies to defend against threats.
Autorentext
Michael Dooley is responsible for overall operations of the BT Diamond IP division. Mr. Dooley has more than 20 years of experience managing and developing large scale software products and has contributed significantly to the evolution of Internet technologies, particularly related to IP addressing, DHCP and DNS. In 2013 he co-authored the Wiley-IEEE Press title IPv6 Deployment and Management.
Timothy Rooney manages BT Diamond IP product development and has led the market introduction of four next-generation IP management systems: NetControl, IPControl, Sapphire appliances and ImageControl. In 2010, he authored the Wiley-IEEE Press title Introduction to IP Address Management and in 2011, IP Address Management Principles and Practice. In 2013 Mr. Rooney co-authored the Wiley-IEEE Press title IPv6 Deployment and Management.
Inhalt
Preface xiii
Acknowledgments xvii
1 INTRODUCTION 1
Why Attack DNS? 1
Network Disruption 2
DNS as a Backdoor 2
DNS Basic Operation 3
Basic DNS Data Sources and Flows 4
DNS Trust Model 5
DNS Administrator Scope 6
Security Context and Overview 7
Cybersecurity Framework Overview 7
Framework Implementation 9
What's Next 15
2 INTRODUCTION TO THE DOMAIN NAME SYSTEM (DNS) 17
DNS Overview Domains and Resolution 17
Domain Hierarchy 18
Name Resolution 18
Zones and Domains 23
Dissemination of Zone Information 25
Additional Zones 26
Resolver Configuration 27
Summary 29
3 DNS PROTOCOL AND MESSAGES 31
DNS Message Format 31
Encoding of Domain Names 31
Name Compression 32
Internationalized Domain Names 34
DNS Message Format 35
DNS Update Messages 43
The DNS Resolution Process Revisited 48
DNS Resolution Privacy Extension 55
Summary 56
4 DNS VULNERABILITIES 57
Introduction 57
DNS Data Security 57
DNS Information Trust Model 59
DNS Information Sources 60
DNS Risks 61
DNS Infrastructure Risks and Attacks 62
DNS Service Availability 62
Hardware/OS Attacks 63
DNS Service Denial 63
Pseudorandom Subdomain Attacks 67
Cache Poisoning Style Attacks 67
Authoritative Poisoning 71
Resolver Redirection Attacks 73
Broader Attacks that Leverage DNS 74
Network Reconnaissance 75
DNS Rebinding Attack 77
Reflector Style Attacks 78
Data Exfiltration 79
Advanced Persistent Threats 81
Summary 83
5 DNS TRUST SECTORS 85
Introduction 85
Cybersecurity Framework Items 87
Identify 87
Protect 87
Detect 88
DNS Trust Sectors 88
External DNS Trust Sector 91
Basic Server Configuration 93
DNS Hosting of External Zones 97
External DNS Diversity 97
Extranet DNS Trust Sector 98
Recursive DNS Trust Sector 99
Tiered Caching Servers 100
Basic Server Configuration 101
Internal Authoritative DNS Servers 103
Basic Server Configuration 105
Additional DNS Deployment Variants 108
Internal Delegation DNS Master/Slave Servers 109
Multi-Tiered Authoritative Configurations 109
Hybrid Authoritative/Caching DNS Servers 111
Stealth Slave DNS Servers 111
Internal Root Servers 111
Deploying DNS Servers with Anycast Addresses 113
Other Deployment Considerations 118
High Availability 118
Multiple Vendors 118
Sizing and Scalability 118
Load Balancers 119
Lab Deployment 119
Putting It All Together 119
6 SECURITY FOUNDATION 121
Introduction 121
Hardware/Asset Related Framework Items 122
Identify: Asset Management 122
Identify: Business Environment 123
Identify: Risk Assessment 124
Protect: Access Control 126
Protect: Data Security 127
Protect: Information Protection 129
Protect: Maintenance 130
Detect: Anomalies and Events 131
Detect: Security Continuous Monitoring 131
Respond: Analysis 132
Respond: Mitigation 132
Recover: Recovery Planning 133
Recover: Improvements 133
DNS Server Hardware Controls 134
DNS Server Hardening 134
Additional DNS Server Controls 136
Summary 137
7 SERVICE DENIAL ATT...