论文信息 - Minimizing information leakage in the DNS

Minimizing information leakage in the DNS

The domain name system is the global lookup service for network resources. To protect DNS information, the DNS security extensions have been developed and deployed on branches of the DNS to provide authentication and integrity protection using digital signatures. However, signed DNS nodes were found to have an unfortunate side effect: an attacker can query them as reconnaissance before attacking hosts on a particular network. There are different ways a zone administrator can minimize information leakage and still take advantage of DNSSEC for integrity and source authentication. This article describes the risk and examines the protocol and operational options and looks at their advantages and drawbacks.

Scott Rose | Anastase Nakassis

[1] Ben Laurie,et al. DNS Security (DNSSEC) Hashed Authenticated Denial of Existence , 2008, RFC.

[2] Suresh Krishnaswamy. Split-View DNSSEC Operational Practices , 2007 .

[3] Scott Rose,et al. Resource Records for the DNS Security Extensions , 2005, RFC.

[4] Scott Rose,et al. DNS Security Introduction and Requirements , 2005, RFC.

[5] Scott Rose,et al. Protocol Modifications for the DNS Security Extensions , 2005, RFC.

[6] Scott Rose,et al. Resource Records for the DNS Security Extensions, RFC 4034 | NIST , 2005 .

[7] Scott Rose,et al. DNS Security Introduction and Requirements , 2005, RFC.

[8] Daniel Massey,et al. Protocol Modifications for the DNS Security Extensions RFC 4035 | NIST , 2005 .

[9] Johan Ihren,et al. Minimally Covering NSEC Records and DNSSEC On-line Signing , 2006, RFC.

[10] Wesley Griffin,et al. Using DNS to Securely Publish Secure Shell (SSH) Key Fingerprints , 2006, RFC.