Home > Articles > Security > Network Security

  • Print
  • + Share This
Like this article? We recommend

Corrective Actions

To prevent these types of attacks, it's necessary to have security built directly into DNS systems:

  • To minimize the risk of a spoofing attack, every organization or individual responsible for a domain should consult the developer of the domain's name server as to whether the server is secure against DNS spoofing.

  • Email can be forged, as mentioned earlier. If you accept domain changes via email, require an SSL-encrypted web page or PGP signed and encrypted email for all changes to domain information.

  • One of the best solutions so far to guard against DNS hijacking has appeared in the form of DNS Security (DNSSEC). DNSSEC supplies cryptographic verification information along with DNS messages. That means that public key cryptography is combined with digital signatures to provide a means for a requester of domain information to authenticate itself. DNSSEC ensures that a request can be traced back to a trusted source, either directly or via a chain of trust linking the source of the information to the top of the DNS hierarchy.

    DNSSEC adds two new record types for authentication in DNS: the KEY record and the SIG record. Like many encryption schemes, the KEY record stores the public key for a host or administrative zone. The SIG record stores a digital signature associated with each set of records. In a signed zone, each record set includes a SIG record. The SIG record contains the signature of the set as generated by the above zone KEY. Briefly, a DNSSEC-aware resolver can determine whether a zone is signed, and if the resolver sees an unsigned recordset when it expects a signed one it can identify that there's an error.

  • Use strong passwords and SSL systems for registering and authorizing changes to your domain names, and use registrars that assist you with setting up these security methods. In addition, don't rely on faxed documents or phone calls, as malicious attackers can easily forge them.

  • + Share This
  • 🔖 Save To Your Account