0

My infrastructure doesn't have an internal DNS server, so I just forward any DNS request to external DNS servers by iptables rules.

I wonder how risk that can be, and how easy is it to spoof DNS or build an attack based on that?

Is there a better solution, if I don't want to setup an internal DNS server?

Adam
  • 133
  • 4
  • "How risky" is an impossible question to answer. How do *you* measure risk? – Ron Trunk Feb 29 '16 at 01:33
  • risk like hacking, spoofing that is what i meant – Adam Feb 29 '16 at 01:43
  • That doesn't help. You're asking us to measure risk, but against what? What scale would you like us to use? How risky is "too risky?" – Ron Trunk Feb 29 '16 at 01:45
  • I am sorry for not being so clear, i am quite new to this field, yes i want to know if it is high risky, against spoofing , hacking, – Adam Feb 29 '16 at 01:49
  • I'm sorry Adam, but the way you've asked the question makes it impossible to answer. Yes, there is risk. Is it too much risk? Only you can answer that. – Ron Trunk Feb 29 '16 at 01:52
  • i have on the same network some servers, but i don't have any DNS server, so i will allow all the machines to be able to send DNS request to external DNS server.=, but i am not sure if that is a good idea, if that is too risky, would make it easy to spoof DNS and make my network accessible. and if that is too risky , what other possible solution in this case for DNS server ? – Adam Feb 29 '16 at 01:53
  • As I said, I have no idea if it is "too risky" for you. It may be fine for some people, but unacceptable for others. It depends what information you are trying to protect, what the cost of compromise might be, etc. – Ron Trunk Feb 29 '16 at 01:56
  • It is sensitive information for the company in the servers, so let's say it is risky, is there any other options to enable DNS service with less risk ? – Adam Feb 29 '16 at 02:15
  • @RonTrunk I think it's pretty clear that the OP is meaning to ask what the risks may be (as in, what specific attacks may be possible), and not asking us to rate the risks - that the OP doesn't even know about - on eg a scale from 1 to 10 regarding the specific situation they are in. – tim Feb 29 '16 at 09:49

2 Answers2

2

Here's what we can tell you:

  • Public DNS record is publicly accessible
  • Parts of the Public DNS systems can be subverted by sufficiently advanced attacker, unless measures like DNSSEC are taken and enforced

From these we can see several issues under the following scenario:

  • You have internal service but you used public DNS to map these names to your internal IPs.

    • an attacker could conceivably take over the external DNS to redirect traffic from your internal IP addresses to a server they control, possibly outside your internal network. This can be prevented by strong authentication between your internal servers or by network control to prevent most internal servers from connecting to external addresses or by requiring DNSSEC record. However, when you have thousands of different services, this may be unfeasible.

  • You have internal services with names that discloses who your partners are and what systems you internally have. This can be a business privacy issue, as your business may not want just anyone to be able to list who you worked with. There's nothing you can do about this, public DNS is public record, you should run internal DNS if you don't want your names to be used to infer what partners or internal systems you are running.

If these are a problem to you, then you probably should run your own internal DNS system.

Lie Ryan
  • 31,089
  • 6
  • 68
  • 93
0

I don't think you understand how DNS works. But it is quite easy so let me explain you how. Basically you can think of it as a tree of information and every branch from the root is divided by a dot. So lets say we want www.example.com First the DNS server checks if it knows this address if it don't it queries some other DNS server. In our example the DNS server didn't know this domain so it queries the root server .com. Then it queries the example server Www.Example.com. All this traffic is external to your network if you aren't the NSA. Which means even if you got an internal DNS server it is going to do look upps external to your Lan and you can't change that (well you could try to download all the DNS records on your box but that wouldn't work) Assert the risk yourself Stay safe

Storm Kavlie
  • 111
  • 5