Security Vulnerabilities in DNS and DNSSEC

This paper provides an overview of the vulnerabilities that DNS and DNSSEC suffer from. It provides differing attacks that DNS succumbs to that affect its ability to authenticate data and origins. Among these attacks, the paper mainly focuses on the man in the middle, cache poisoning, and denial-of-service assaults. The man in the middle attack occurs when an attacker copies a DNS server response packet and sends it to the client. The client has no way to verify the data and thus must trust it to be reliable causing an attacker to be able to reply to legitimate queries with false information. Cache poisoning occurs because DNS servers maintain a cache that maps website names to IP address with a certain time-to-live before renewing the address. This means that every time a client requests a website, servers are not forwarding that request on to find the IP address but simply looking at their cache. This, however, opens them up to cache poisoning attacks as an attacker can “poison the cache” by intercepting a renew request and sending the server an incorrect IP address so now every time someone attempt to access bankofamerica.com, for example, they will be sent to whatever address the attacker specified. The last attack is a distributed denial-of-service attack which happens when an attacker floods a server with a flood of traffic so that the server is not able to process legitimate requests.

The paper, then, analyzes how DNSSEC was created to help combat these attacks by providing data and origin authentication. It does this through a method of public and private keys that allows servers to encrypt data with their private key and the receiver to authenticate that data with a public key. Although this combats the attacks discussed in the paper, the article also analyzes the vulnerabilities that DNSSEC has which center around the security weaknesses of these keys and the chain of trust of the public keys.