It’s Always DNS – But Not in the Way You May Think

A good primer on some DNS-related security issues. If your network is big enough you should also implement split DNS so that you have greater control over where your internet traffic ends up…:

[…] The security of DNS thus is vital to the functioning of the Internet today. The bad news is that out of the box, of the CIA triad (confidentiality, integrity and availability), DNS provides none.

DNS requests and responses are sent in the clear so that your ISP or any entity tapping the Internet cables can see the requests being made from your devices. They can also modify the responses or even block them altogether.

This isn’t a theoretical risk. The country I live in requires ISPs to send users trying to access an unlicensed or foreign gambling site to a government webpage by having their resolvers (the servers that handle DNS responses) return a different IP address. This can be easily bypassed by using a foreign resolver instead, but some countries force ISPs to modify or block even requests to resolvers beyond their control, thus effectively blocking access to certain websites and services.

This kind of censorship isn’t the only security concern with DNS, though. Changing the DNS responses when someone is trying to access a banking or webmail site would make for effective phishing. Thankfully, the ubiquity of HTTPS and related protocols means that in such cases, the browser will usually throw an error rather than display the fake website.


Original article