DNS Security refers to specific requirements for protecting certain types of data associated with the Domain Name System. This data includes the source address and other related information, which is normally used by search servers to return results for queries made using the domain name system. These types of information must be protected from unauthorized access and the possibility of someone hijacking the DNS server and using it for their purposes.
Authentication and Encryption
The DNS Security feature of the DNS server allows service provider operators to set up authentication and encryption for the DNS resource records. This enables providers to provide security for the DNS client to establish connections only to trusted or authorized sites. An authorized site can be specified by an administrator of the DNS service or by a DNS administrator with the help of an RTCP (Real-Time Transport Control Protocol) or a DNS client. The latter can be configured to perform automatic reply generation for DNS server queries. However, if such a feature is already activated, it may not distinguish between an unknown server and an authorized server and may respond to queries from unknown sources. Such an attack can be prevented by activating the DNS security features of the DNS server.
Threat to DNS Security
There are mainly two ways an attacker may attempt to defeat the DNS security features of servers. The first is to send crafted DNS packets to the DNS server or to modify the DNS configuration settings, which are usually saved in database files. However, most managed DNS providers have a built-in mechanism to detect such unauthorized DNS packets and block them.
Manual attacks on DNS security are also possible, but these are less common because they require advanced knowledge about DNS. Two of the best practices to avoid manual attacks are disabling anonymous FTP and preventing listening on the firewall at workstations using port 80. Another good practice is to disable all cookies and cache in DNS zones. A popular way to defeat the DNS security features is through the Use Common Carrier in A DNS zone. This is known as co-located addressing, and this method was invented by Matt Cutts, a well-known hacker.
More DNS Security Features
Some of the commonly used DNS security features include support for additional authentication methods apart from the traditional SSLv3 certificate. The added authentication methods include NOD spoofing, Cersid, and Digital certificates, among others. Apart from these, DNS servers also support session IDs, which are a useful feature that helps in controlling authentication failures and renegotiations. On the whole, most of the commercial support tools provide strong protections, and hence, you can easily get the required level of protection.