Question

1. What is a DNS cache poisoning attack, and how does it affect a network client?

2. How does the Response Rate Limiting role feature mitigate a DNS amplification attack?

3. What are the two keys that must be generated if you want to secure a zone with a digital signature? What is the purpose of each?

4. What is DNS delegated administration, why might you want to use it, and how do you configure it?

5. How are trust anchors distributed?

Answer 1

DNS cache poisoning attack:

• The DNS cache poisoning attack is defined as the attack which target the user to enter into an fake website by giving false DNS information to the user.
• In this attack, attacker enters the false information into DNS cache. When user requests to the DNS server for the information about particular legitimate website, this DNS sever respond to that user with false information entered by the attacker. When user use that information it redirects to the attacker's website(website information given by attacker).
• By this attack, network clients may effect because don't know that DNS spoofing is performed. So they trust the information and uses it. By this, the network client is directed to the wrong website and his system is effected with vulnerabilities.

Response Rate Limiting :

• Response Rate Limiting is a tool used to avoid the DNS amplification attacks like DNS spoofing, DNS poisoning attacks etc..
• The role of RRL is to maintain the responding of limited queries to each client.
• Responding to one client continuously may lead to DNS amplification attacks.
• So it uses a token bucket which fills the order of clients requests. But it do not fill so many requests of same client. It only respond one time to the each client.
• It verifies the IP addresses of clients of requests received to consider they are authorized users or not.
• This makes the DNS server respond only to the authorized clients.

Two keys of Digital signature to secure a zone :

• To secure a zone by using Digital signature two keys are needed.
• For digital signature, two keys are needed to be generate.
• The Public key, Private key are the two keys need to be generate for digital signature.
• Public key : It is send by the sender to the receiver who want to access the information.
• Private key : This key is maintained by the sender and receiver individually.With that key, they can protect the data. Sender encrypts the zone information with his private key. And receiver decrypt the zone information with his private key and public key(sent by the sender).

DNS Delegated administration :

• DNS delegation administration means breaking or dividing the larger zones into smaller zones.
• This will maintained by the DNS manager console .
• It divides the larger zones into smaller zones.
• It will create sub zones for larger zones.
• We might use this to reduce the complexity and to provide correct details for DNS queries of the clients.

Trust anchors :

• Trust anchors are distributed by DNS manager console.
• A Trust anchor is used to validate the DNS data in zone.
• It is assigned for signed zones.
• These are distributed by DNS manager console to each and every signed zone.