Manualshelf

DNS Configuration and Management Manual (G06.27+, H06.05+, J06.03+)

ManualsBrandsHP ManualsServerHP Integrity NonStop H-Series
41424344454647484950
DNS Configuration on the NonStop Server
HP DNS Configuration and Management Manual529432-003
3-3
Understanding DNS Security Threats
Understanding DNS Security Threats
Different levels of security exist for your DNS implementation on the NonStop server
depending on whether you are using DNS servers for local address resolution or using
them in the broader domain name system on the Internet. Planning for DNS security
involves understanding the nature of security threats in the DNS environment and the
tools and techniques for mitigating those threats.
To assess the potential threats and the possible counter-measures in a DNS network,
you must first understand the normal data flows in a DNS system and the areas that
are potential sources of threat. You must determine what areas you want to secure and
the threat level you want to secure against.
The first step in a good security plan is to audit what threats are applicable and
determine how seriously you rate these threats. For example, if you do not do dynamic
updates, there is no dynamic update threat.
The classification of threats in this subsection helps in selecting appropriate remedies
and strategies for avoiding threats or securing the system.
h_errno is replaced by lwres_h_errno
getipnodebyname is replaced by lwres_getipnodebyname
getipnodebyaddr is replaced by lwres_getipnodebyaddr
freehostent is replaced by lwres_freehostent
Note. The further you go from the master server, the more complicated the security solution
and the implementation. For this reason, you should start from the master server and work
outward.
Table 3-1. DNS Security Threats
Area Threat
Zone files File corruption (malicious or accidental). This is a local threat.
Zone Transfers IP address spoofing (impersonating update source). This is a
server-to-server threat.
Dynamic updates Unauthorized updates, IP address spoofing (impersonating update
source). This is a server-to-server threat.
Remote queries Cache poisoning by IP spoofing, data interception, or a subverted
master or slave. This is a server-to-client threat.
Resolver queries Data interception, poisoned cache, subverted master or slave,
local IP spoofing. This is a remote client-to-client threat.