DNS security information

Domain Name System (DNS) is vulnerable to attackers as it was originally designed as an open protocol. Through the addition of security features, Windows Server 2003 DNS has improved the ability to prevent an attack on your DNS infrastructure.

You should be aware of the common threats to DNS security before considering which of the security features to use, and the level of DNS security in your organisation.

DNS security threats

The following are the typical ways in which your DNS infrastructure can be threatened by attackers:


This is the process by which DNS zone data is obtained by an attacker. The attacker is then provided with the DNS domain names, computer names, and IP addresses for sensitive network resources.

An attacker will commonly begin an attack by using this DNS data to diagram, or footprint, a network. DNS domain and computer names usually indicate the function or location of a domain or computer in order to help users remember and identify domains and computers more easily.

An attacker takes advantage of the same DNS principle to learn the function or location of domains and computers in the network.


Redirection is when an attacker is able to redirect queries for DNS names to servers under the control of the attacker. One method of redirection involves the attempt to pollute the DNS cache of a DNS server, with erroneous DNS data that may direct future queries to servers under the control of the attacker.

If a query were originally made for example.ukfast.net, and a referral answer provided a record for a name outside of the ukfast.net domain, such as malicious-user.com, then the DNS server would use the cached data for malicious-user.com to resolve a query for that name.

Whenever an attacker has writable access to DNS data, such as with insecure dynamic updates, redirection can be accomplished.

Data modification

This is an attempt by an attacker (that has footprinted a network using DNS) to use valid IP addresses in IP packets that have been created by the attacker, thereby giving these packets the appearance of coming from a valid IP address in the network.

This is commonly called IP spoofing. With a valid IP address (an IP address within the IP address range of a subnet), the attacker can destroy data or conduct other attacks by gaining access to the network.

Denial-of-service attack

Denial-of-service attack is when an attacker attempts to deny the availability of network services by flooding one or more DNS servers in the network with recursive queries.

Its CPU usage will eventually reach its maximum as a DNS server is flooded with queries, and the DNS Server service will become unavailable.

Network services that use DNS will become unavailable to network users without a fully operating DNS server on the network.

To start managing your DNS today with safeDNS, at a limited offer price, buy online here.

© UKFast.Net Limited 1999 - 2020. All rights reserved. UK's Best for Dedicated Server and Cloud Hosting
UKFast.Net Limited, Registered in England, Company Registration Number 03845616, Registered Office: UKFast Campus, Birley Fields, Manchester, England, M15 5QJ