Why you should disable DNS caching on workstations

Would-be attackers are now setting their sights on the domain name system (DNS), an integral part of the Internet, in hopes of making it more difficult to determine the authenticity of Web sites. Jonathan Yarden offers some suggestions your organization can take to mitigate its risks.

Want more advice for locking down your network? Stay on top of the latest security issues and industry trends by automatically signing up for our free Internet Security Focus newsletter, delivered each Monday.

Earlier this month, news broke that the amount of phishing e-mails, which sport ostensibly legitimate offers through which attackers attempt to glean personal and financial information, has slowed in the first two months of this year. But don't start celebrating yet: Attackers are simply getting smarter, not slower. In fact, they're honing their skills and turning to more sophisticated ploys.

Would-be attackers are now setting their sights on the domain name system (DNS), an integral part of the Internet, in hopes of making it more difficult to determine authenticity. Referred to as "pharming" or "DNS poisoning," this practice involves redirecting users to malicious Web sites that look perfectly legitimate, where attackers attempt to either steal personal information or install spyware.

It should come as no surprise that the people behind these scams are targeting primarily Windows-based systems—and exploiting a known DNS cache bug found in several Symantec firewall products. However, this is not a new Internet security issue. In fact, the popular UNIX BIND nameserver software identified and addressed the current Windows DNS security problems, especially the issue of cache poisoning, years ago.

The details of who and what malware are responsible for this are currently under investigation, but organizations can't afford to wait for authorities to resolve this issue. While companies are more than likely unable to prevent attempted attacks, they can take steps to mitigate risks.

Of course, a company's first step should always be user education. Make your users aware of these threats and attackers' various methods, and teach them to closely examine any e-mails and Web sites before trusting them with personal information.

DNS is critical to the functioning of the Internet, and it's probably as critical a process as the routing of IP packets on the Internet itself. Without a properly functioning DNS, any number of problems can occur, many of which mimic network-level problems.

In fact, even simple DNS problems, either locally or on the Internet, can cripple the ability to communicate over the Internet. This is why I stress that companies should regard DNS services and servers as network-level services, in the same category as routers and switches rather than e-mail or Web servers.

At its basis, DNS is the service that translates hostnames to IP addresses and resolves IP addresses to hostnames. Root DNS servers—probably the busiest servers on the Internet—do nothing more than provide pointers to authoritative nameservers (called "NS records") for a particular domain. An NS record contains the hostnames for authoritative nameservers for a particular domain, and it also provides the IP address of these servers.

DNS servers typically cache previously obtained information for future use to minimize the number of queries to other DNS servers, including NS queries to root DNS servers. Because DNS is all about minimizing the number of external lookups for domain information, caching this information whenever possible is vital.

But DNS servers aren't the only machines with this ability. Microsoft and many other software companies—even those that provide Internet security products—have made the mistake of including the ability to cache DNS information on workstations. For example, Microsoft Windows includes a DNS Cache service.

However, I strongly believe that only DNS servers should cache DNS information. In fact, I recommend that organizations disable the DNS cache service, which Microsoft has enabled by default.

Client workstations that use DNS should never cache DNS information locally. Once the workstation has stored DNS data locally, any process with the ability to access or change that information can trivially redirect services that depend on DNS to other hostnames.

DNS cache poisoning is yet another concern for systems using Microsoft DNS. Working at the DNS server level, cache poisoning involves changing the IP address of authoritative DNS servers so subsequent DNS lookups for hostnames come from someplace other then a legitimate one. DNS poisoning can affect entire networks that rely on Microsoft DNS services on a variety of Microsoft Windows versions, with the exception of Windows Server 2003.

I also recommend that companies have a minimum of two authoritative DNS servers and keep them on two separate physical and logical networks. This helps prevent a single point of failure with DNS because incorrect or nonfunctional DNS is a recipe for disaster.

And under no circumstances should workstations be using any manner of DNS caching services. DNS caching is for DNS servers; these servers should focus solely on this task. Companies must take steps to secure the DNS servers and distribute them on separate networks to prevent would-be attackers from hijacking or poisoning them with incorrect information.

I'm disappointed in Microsoft and Symantec: Shame on them for not learning from history that DNS is a service that should place security first.

Jonathan Yarden is the senior UNIX system administrator, network security manager, and senior software architect for a regional ISP.

Editor's Picks