DNS play an important role in a network It is therefore impo

DNS play an important role in a network. It is therefore important for the information in a DNS table to be protected from authorized modification.

Write your paper on protecting the information in a DNS table.

Solution

The DNS protocol leverages the User Datagram Protocol (UDP) for the majority of its operations. UDP is a connectionless protocol and, as such, it can be easily spoofed. Many of the attacks described in this document rely on spoofing to be successful.

Several security controls can be implemented to limit spoofing. These controls are described in the following sections.

Unicast Reverse Path Forwarding

Unicast Reverse Path Forwarding (Unicast RPF) is a feature that can reduce the effectiveness of packets with spoofed source addresses. A network device using Unicast RPF evaluates the source of each IP packet against its local routing table in order to determine source address validity. While it can detect and filter some spoofed traffic, Unicast RPF does not provide complete protection against spoofing because spoofed and valid packets with the same source address may arrive on the same interface.

Unicast RPF operates in two modes: strict and loose. In strict mode, the Unicast RPF feature uses the local routing table to determine if the source address within a packet is reachable through the interface on which the packet was received. If it is reachable, the packet is permitted; if it was not, the packet is dropped. Strict mode Unicast RPF is best deployed on network boundaries where traffic asymmetry is not prevalent.

Strict mode Unicast RPF is enabled on Cisco IOS devices using the interface configuration command ip verify unicast source reachable-via rx; the previous format of this command was ip verify unicast reverse-path. Strict mode Unicast RPF can be enabled on the Cisco PIX, ASA, and FWSM firewalls using the ip verify reverse-path interface interface configuration command.

In loose mode Unicast RPF, if the source address of a packet is reachable through any interface on the Unicast RPF enabled device, the packet is permitted. If the source address of the IP packet is not present in the routing table, the packet is dropped. Loose mode Unicast RPF can be enabled on Cisco IOS devices using the ip verify source reachable-via any interface configuration command; loose mode Unicast RPF is not available on Cisco PIX, ASA or FWSM firewalls.

More information about Unicast RPF is available in the Applied Intelligence Understanding Unicast Reverse Path Forwarding white paper.

IP Source Guard

IP source guard is a Layer 2 security feature that builds upon Unicast RPF and DHCP snooping to filter spoofed traffic on individual switch ports. DHCP snooping, which is a prerequisite of IP source guard, inspects DHCP traffic within a VLAN to understand which IP addresses have been assigned to which network devices on which physical switch port. Once this information has been gathered and stored in the DHCP snooping bindings table, IP source guard is able to leverage it to filter IP packets received by a network device. If a packet is received with a source address that does not match the DHCP snooping bindings table, the packet is dropped.

The implementation of IP source guard within the access layer of a network can effectively eliminate the origination of spoofed IP traffic. However, because it requires DHCP to remain manageable, it is not possible to deploy IP source guard on internal-to-external network boundaries.