Page 585 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 585

The HOSTS file is the static file found on Transmission Control
               Protocol/Internet Protocol (TCP/IP) supporting system that contains

               hard-coded references for domain names and their associated IP
               addresses. The HOSTS file was used prior to the dynamic query–based
               DNS system of today, but it serves as a fallback measure or a means to
               force resolution. Administrators or hackers can add content to the
               HOSTS file that sets up a relationship between a FQDN (fully qualified
               domain name) and the IP address of choice. If an attacker is able to
               plant false information into the HOSTS file, then when the system

               boots the contents of the HOSTS file will be read into memory where
               they will take precedence. Unlike dynamic queries, which eventually
               time out and expire from cache, entries from the HOSTS file are
               permanent.

               Authorized DNS server attacks aim at altering the primary record of a
               FQDN on its original host system, the primary authoritative DNS
               server. The primary authoritative DNS server hosts the zone file or

               domain database. If this original dataset is altered, then eventually
               those changes will propagate across the entire internet. However, an
               attack on an authoritative DNS server typically gets noticed very
               quickly, so this rarely results in widespread exploitation. So, most
               attackers focus on caching DNS servers instead. A caching DNS server

               is any DNS system deployed to cache DNS information from other
               DNS servers. Most companies and ISPs provide a caching DNS server
               for their users. The content hosted on a caching DNS server is not
               being watched by the worldwide security community, just the local
               operators. Thus, an attack against a caching DNS server can
               potentially occur without notice for a significant period of time. For
               detailed information on how caching DNS server attacks can occur, see

               “An Illustrated Guide to the Kaminsky DNS Vulnerability” at
               http://unixwiz.net/techtips/iguide-kaminsky-dns-vuln.html.
               Although both of these attacks focus on DNS servers, they ultimately
               affect clients. Once a client has performed a dynamic DNS resolution,
               the information received from an authoritative DNS server or a
               caching DNS server will be temporarily stored in the client’s local DNS

               cache. If that information is false, then the client’s DNS cache has been
               poisoned.
   580   581   582   583   584   585   586   587   588   589   590