S 5.59 Protection against DNS spoofing

Initiation responsibility: Head of IT Section, IT Security Management

Implementation responsibility: Administrators

A threat from DNS spoofing can arise when authentication is performed using computer names. Host-based authentication, which means that permissions are granted on the basis of computer names or IP addresses, should be protected with one (or a combination) of the following measures:

1. IP addresses should be used, not host names.

2. If host names are used, they should all be resolved locally (entries in the file /etc/hosts).

3. If host names are used and cannot be resolved locally, all names should be resolved directly by a name server which acts as primary or secondary name server, i.e. stores the names permanently instead of in a temporary cache.

The first configuration provides the highest security, the third provides the lowest security. The aim of these measures is to perform a mapping between IP addresses and computer names in a secure environment. If name resolution cannot be performed directly, i.e. if a temporary cache is made use of, then host-based access should never be allowed via a host name.