Question

Case Project 3-2 Setting Up DNS Security Your DNS servers have been hacked, and you’ve been asked to set up DNS security measures. Your supervisor wants to know the options for preventing attackers from tampering with your DNS servers. Write a memo to your supervisor discussing DNSSEC, a DNS socket pool, and DNS cache locking and how they can help secure DNS. Answer:

Answer 1

Setting up Domain Name System (DNS) security measures, the options for preventing attackers from tampering with the DNS servers been hacked, discussing DNSSEC, a DNS socket pool, and DNS cache locking, and how these help secure DNS:
DNSSEC is the acronym for Domain Name System Security Extensions. It is a certain set of Internet Engineering Task Force (IETF) specifications securing certain information the DNS provides, as used on Internet Protocol (IP) networks. It is, in general, a security system to give DNS servers, the ability to verify the information been received is reliable. DNSSEC prevents DNS spoofing, which is one of the security attacks.

The mechanism, from a broad perspective, works digitally signing the DNS records at the authoritative DNS server using public-key cryptography. DNSSEC is meant for protection, securing the DNS from ongoing and significant attacks against DNS infrastructure, specifically stopping man-in-the-middle attacks and personal data theft. Also, it protects the DNS clients' name resolution queries from forged DNS data and any DNS cache poisoning. It enables a DNS zone and all records in it to be signed. It is available as an advanced and enhanced feature, function, or DNS settings. It thus, simply secures DNS traffic working along with DNS policies.

DNS socket pool is another implementation of DNS security. It reduces the possibilities of cache-tampering and DNS spoofing attacks enabling a DNS server to use source or communication port randomization whenever it issues DNS queries to remote DNS servers. Increase in the size of the socket pool lets the DNS server increase the source port randomization. Hence, rather using predictable source port, the DNS server uses a random port number it selects from the DNS socket pool, thus making cache tampering attacks hard, as an attacker has to correctly guess both, the source port of the DNS query and a random transaction ID to carry out an attack.

When the DNS service is initiated, the server chooses a source port from a pool of sockets available for issuing DNS queries. The DNS socket pool, as a best practice, will need to be enabled by default on the servers. It stops a hacker from replacing records in the resolver cache, at the same time the Time to Live (TTL) is still in force.

Cache locking is, specifically a Windows Server 2012 security feature letting to control if and when information or records in the DNS server cache is overwritten. It helps in blocking records in the cache from being changed for the length of the record’s TTL value.