5.13 Secure Network Configuration: DNS

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with

Already have an account? Sign In »

9 hours 48 minutes
Video Transcription
D N s. Hey, you controls d N s controls the world and I always say, the root of all good and evil his d n s because it's so powerful, Such a powerful network service that, of course, that makes it more desirable. Two Attackers.
So there are a 1,000,000 things an attacker conduce to compromise security.
Uh, just by manipulating d n s foot printing the network D N s knows where your various sites RG ns knows where those critical servers are. Deena's knows your I p configuration. You're naming configuration. So just to get my hands on a the zone transfer,
I would give me a ton of information
or, you know, just real basic commands. Like In s. Look up. If the servers and locked down to prevent those queries, I could just get a slew of information. So foot printing the network often happens before is made easier by an excess fel d n a server
DOS attacks. If d n s is down, the network is down.
Ah, while back there was a massive denial of service attack on some major Internet players. And if I'm not mistaken, I think Amazon. I think
these, I think just some of the huge network players and what was interesting is those individual organizations were targeted. But the D. N s server that handles name resolution for there's individual organizations. So I don't have to target attack at 30 different networks.
If all 30 of them were used in the same D. N s server,
you get that D N s service and nobody can access anything. I mean again, we don't think in terms of I P addresses. Now, make no mistake, it's not easy to take down an organizational D. N s server. I think the company the company's name was dying. So of course, there's lots of monitoring redundancy.
This just isn't, you know, a matter of just
thumping a system in crippling Amazon or whatever. It was a very elevated attack. Interestingly enough, that attack used the Internet of things I ot and we've got a lot of devices connected to our home networks. Very powerful tool for attacker. So we're going to see that
that was a denial of service attack.
The network doesn't run without d n s. You take d n s down, you take down everybody
Data modification of a d n a server. Una stores what it knows in a database. If you modify the database, you can redirect users to road devices on DDE that allows spoofing, you know, the impersonation. I've got a spoofed website
you have been tricked into using my D. N s server on redirect you did spoof website and some sort of activity. That solicit happens that maybe I have a form where you enter your user name and password, whatever that is.
But if we're not attacking D and s for denial of service purposes, we're trying to either learn about the network with foot printing or we're trying to redirect users through spoofing cash poisoning, which is modifying at the N s servers, cash, whatever.
When we talk about the N s, it just like so many other service is is vulnerable. And D. N s is vulnerable because of the way the d n a server. Indiana's clients learn their information. I learned from previous queries.
I query who my system says to query,
right, So if you can modify my host and send me to a d n a server, that's a rogue device, not my legitimate server. I'll get information from the robe. Well, the same idea with Deanna servers themselves. The NS servers know what they know by asking other dina servers.
So if that d n a server could be redirected
or, uh, misdirected to an illegitimate Deanna server, well, then the whole process gets mangled up, and we wind up having users redirected in a lot of malicious activity.
So we talk about a good solution. There is something called D. N s sec, these air security extensions that have been designed to work with the D. N s service.
Ultimately, Thio get the authentication from other Deanna's servers. And as I contact other Dina server's having that degree of assurance that I'm contacting a legitimate route server dot com server
and that I'm not using a road. So it's all about verification. Authenticity,
through the use of Kees de Nsx is essential when we're allowing worldwide Deanna's communication. Today
Up Next
Certified Cloud Security Professional (CCSP)

This Certified Cloud Security Professional (CCSP) certification course covers topics across six domains, to ensure the candidate has a wide range of competencies and is capable in the assessment and implementation of cloud service solutions.

Instructed By