PURPOSE OF THIS GUIDE
The aim of this guide is to offer an overview of the DNS service, to describe the principal attacks to which this protocol is subject through inappropriate use being made of it, and to provide guidelines for good practice for application in making it more secure.
The guide is intended for operators and administrators of systems and networks and has the purpose of aiding them in implementing and reinforcing the service.
Although the focus of this document is on the DNS in general, particular emphasis is laid on the open-code software BIND for the examples and implementations suggested, since this is by far the most widely used package This document is made up of five principal sections:
Basics of DNS.
This explains the concepts, objectives and functioning of a DNS system.
Security in the DNS.
This section identifies possible attack vectors in a typical DNS scenario and the assets
affected.
Vulnerabilities and Threats in the DNS.
The weaknesses intrinsic to the design of the DNS protocol are explained, as are the principal attacks taking advantage of these.
Fortifying DNS.
This section investigates the security measures that should be implemented in the three main planes of attack on the DNS service: Infrastructure of the DNS Service, Communications and Transactions, and Data.
DNSSEC.
Finally, an introduction to DNSSEC is given. This is a development in DNS security in which the introduction of encryption is intended to give the DNS service an effective mechanism for the historical vulnerabilities of the design.
