Page 780 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 780
responds. Once the client receives the response from the rogue DNS
server, the client closes the DNS query session, which causes the
response from the real DNS server to be dropped and ignored as an
out-of-session packet.
DNS queries are not authenticated, but they do contain a 16-bit value
known as the query ID (QID). The DNS response must include the
same QID as the query to be accepted. Thus, a rogue DNS server must
include the requesting QID in the false reply.
Perform DNS poisoning. DNS poisoning involves attacking the
real DNS server and placing incorrect information into its zone file.
This causes the real DNS server to send false data back to clients.
Alter the HOSTS file. Modifying the HOSTS file on the client by
placing false DNS data into it redirects users to false locations.
Corrupt the IP configuration. Corrupting the IP configuration can
result in a client having a false DNS server definition. This can be
accomplished either directly on the client or on the network’s DHCP
server.
Use proxy falsification. This method works only against web
communications. This attack plants false web proxy data into a client’s
browser, and then the attacker operates the rogue proxy server. A
rogue proxy server can modify HTTP traffic packets to reroute
requests to whatever site the hacker wants.
Although there are many DNS poisoning methods, here are some basic
security measures you can take that can greatly reduce their threat:
Limit zone transfers from internal DNS servers to external DNS
servers. This is accomplished by blocking inbound TCP port 53
(zone transfer requests) and UDP port 53 (queries).
Limit the external DNS servers from which internal DNS servers
pull zone transfers.
Deploy a network intrusion detection system (NIDS) to watch for
abnormal DNS traffic.
Properly harden all DNS, server, and client systems in your private
network.
