/ss mobster/1576340
/Chapter-13.html# 134
DNS spoofing, that is, domain name information spoofing, is the most common DNS security problem. When a DNS server falls into a trap and uses the wrong information from a malicious DNS server, then the DNS server is cheated. DNS spoofing will bring many security problems to vulnerable DNS servers, such as guiding users to the wrong Internet site or sending emails to unauthorized mail servers.
Denial of service attack (DOS)
Hackers mainly take advantage of some loopholes in DNS software. For example, in the version of BIND 9 (series 9 before version 9.2.0), if someone sends a specific DNS packet request to a device running BIND, BIND will be automatically closed. Attackers can only close BIND, but they cannot execute arbitrary commands on the server. If you can't get DNS service, it will be a disaster: users will not be able to access the Internet because the URL can't be resolved into an IP address. In this way, the problems caused by DNS, like those caused by the Internet itself, will lead to a lot of confusion.
Distributed denial of service attack (DDOS)
DDOS attacks use dozens or hundreds of computers controlled by attackers to attack a host, which makes it more difficult to prevent denial of service attacks: it is more difficult to prevent denial of service attacks by blocking the data flow of a single attack source host. Syn Flood is the most common distributed denial of service attack against DNS servers.
Buffer leak
The default setting of Bind software is to allow regional transmission between hosts. Regional transmission is mainly used for data synchronization between the first-level domain name server and the second-level domain name server, so that the second-level domain name server can obtain new data information from the first-level domain name server. Once the regional transmission is enabled without restriction, it is likely to cause information leakage. Hackers will be able to obtain the information of all the hosts in the whole authorized area, judge the functions and security of the hosts, and find the target of the attack.
TSIG signal 0
The transaction signature of DNS can be divided into TSIG (transaction signature) and SIG0 (signature). How to choose? First of all, we should judge the trust relationship between the client and the server. If it is credible, we can choose symmetric TSIG. TSIG has only one set of passwords, and there is no public/private key. If you are not a complete trustor, you can choose SIG0 with asymmetric key. Although there is a public/private key, the setting is relatively complicated. As for which is more suitable, it's up to you to judge. Generally, the regional transmission is from the primary domain name server to the secondary domain name server. Generally, the access control list (ACL) of dns-ip-list in the configuration file /etc/named.conf of the main domain name server lists some ip addresses, which can only transmit the regional information of the main domain.
DNSSEC mainly relies on public key technology to create encrypted signatures for information contained in DNS. Encrypted signature provides the integrity of data in DNS by calculating the encrypted hash value, and encapsulates the hash value for protection. The private key in the private/public key pair is used to encapsulate the hash value, which can then be translated by the public key. If the converted hash value matches the hash tree just calculated by the receiver, it indicates that the data is complete. Whether the translated hash number matches the calculated hash number or not, the authentication method of password signature is absolutely correct, because the public key is only used to decrypt the legal hash number, so only the owner with the private key can encrypt this information.