S 4.96 Deactivating DNS

Initiation responsibility: Head of IT Section, IT Security Management

Implementation responsibility: Administrators

An Internet server does not normally need a DNS (Domain Name System) in order to provide information, unless it is used to send e-mail, but this is not advisable (see also S 4.97 One service per server in this connection). On most WWW servers, DNS is only used for entering computer names instead of IP addresses in the respective logging files. The conversion of IP addresses into computer names in this way could also be performed later during the analysis of the logging files. Although handling of the logging files is then a little more cumbersome, the integrity of the logging data is increased. This is because the allocation of an IP address to a computer name is neither unique nor static. Dispensing with DNS provides additional protection against DNS spoofing (see S 5.59 Protection against DNS spoofing) and often boosts the performance of the Internet server.

The following scenario illustrates possible negative consequences:

Let us assume that an attacker has his own domain with a test PC. At the same time, the test PC is also the DNS server for this domain. He uses the test PC to establish a connection to an Internet server. At the start of the connection request the Internet server only knows the IP address of the test PC, and tries to obtain the computer name of the test PC via DNS. To be able to do this, the operating system has to take up a connection to a DNS server, which in turn has to retrieve the data from the test PC, because the latter is the DNS server for the attacker's domain. Instead of replying to the DNS server of the Internet server, the attacker can now also send any response directly to the Internet server itself (using IP spoofing; seeT 5.78 ). In this way the attacker is able to send data not only to the DNS server as such but also directly to the Internet server. Any flaws in the Internet server's operating system could therefore be exploited.

Note: If for example access is to be allowed to a WWW server in only one specific domain, for example only *.de, it is not possible to dispense with DNS. Access protection of this nature is very weak, however, and is therefore not recommended.