2 cissp ® Official Study Guide Eighth Edition

468
Chapter 11 
■
Secure Network Architecture and Securing Network Components
Originally, DNS was handled by a static local file known as the 
HOSTS file
. This file 
still exists, but a dynamic DNS query system has mostly replaced it, especially for large pri-
vate networks as well as the internet. When client software points to an FQDN, the proto-
col stack initiates a DNS query in order to resolve the name into an IP address that can be 
used in the construction of the IP header. The resolution process first checks the local DNS 
cache to see whether the answer is already known. The DNS cache consists of preloaded 
content from the local HOSTS file plus any DNS queries performed during the current boot 
session (that haven’t timed out). If the needed answer isn’t in the cache, a DNS query is 
sent to the DNS server indicated in the local IP configuration. The process of resolving the 
query is interesting and complex, but most of it isn’t relevant to the (ISC)
2
CISSP exam.
DNS operates over TCP and UDP port 53. TCP port 53 is used for zone transfers. 
These are zone file exchanges between DNS servers, for special manual queries, or when a 
response exceeds 512 bytes. UDP port 53 is used for most typical DNS queries.
Domain Name System Security Extensions (DNSSEC) 
is a security improvement to the 
existing DNS infrastructure. The primary function of DNSSEC is to provide reliable authen-
tication between devices during DNS operations. DNSSEC has been implemented across a 
significant portion of the DNS system. Each DNS server is issued a digital certificate, which 
is then used to perform mutual certificate authentication. The goal of DNSSEC is to prevent 
a range of DNS abuses where false data can be injected into the resolution process. Once 
fully implemented, DNSSEC will significantly reduce server-focused DNS abuses.
Further reading on dNS
For an excellent primer to advanced discussion on DNS, its operation, known issues, and 
the Dan Kaminsky vulnerability, please visit “An Illustrated Guide to the Kaminsky DNS 
Vulnerability”:
http://unixwiz.net/techtips/iguide-kaminsky-dns-vuln.html
For a look into the future of DNS, specifically the defense against the Kaminsky vulner-
ability, visit 
www.dnssec.net
.
DNS Poisoning
DNS poisoning
is the act of falsifying the DNS information used by a client to reach a 
desired system. It can take place in many ways. Whenever a client needs to resolve a DNS 
name into an IP address, it may go through the following process:

Download 19,3 Mb.

Do'stlaringiz bilan baham: