DNS poisoning could lead to
crime ware by Identity theft, purchasing a
fake anti-virus, getting unwanted malware without knowledge. These could lead to severe consequences like taking the punishment for someone else's crime.
Preventing DNS poisoning:
The First thing we can do to prevent DNS poisoning is to make sure that we have the latest version of DNS. DNS based on BIND 9.3.x or Microsoft Windows Server 2003 is far more secure than DNS implemented with earlier versions.
Recursive queries should be limited to internal DNS servers. If Internet facing recursive queries are required, only queries from internal
addresses should be accepted. This will help prevent outside systems from sending queries with malicious intent.
Many cache poisoning attacks can be prevented on DNS servers by trusting the information to a lesser extent passed to them by other DNS servers, and ignoring any DNS records passed back which are not directly relevant to the query. We can use cryptography help to help secure our DNS servers from being poisoned.
Adding additional security to the LAN with the encrypting technology like DNSSEC where it uses cryptographic electronic signatures signed with a trusted public key certificate to determine the authenticity of data. DNSSEC can counter cache poisoning. Clearing the cookies when we go to any particular suspicious site having a good
firewall, Updating the Internet
Security Definitions regularly will help mitigate the poisoning.
- Use TSIG to digitally signed zone transfers and zone updates – one of the best ways to prevent poisoning is to force identification of the sending authoritative source
- Restrict dynamic DNS updates when possible
- Hide the version of BIND being used on the DNS servers
- Remove unnecessary services running on the DNS servers and use dedicated appliances instead of multi-purpose servers that allow unauthenticated Server queries
- Physically separate external and internal DNS servers
- Restrict Zone transfers.