Donate
‹ Back
Deploy360 25 April 2012

Microsoft Security TechCenter: DNSSEC and DNS Amplification Attacks

Dan York
By Dan YorkDirector, Web Strategy & Project Lead, Open Standards Everywhere

Security Tech Center LogoWhat are the security risks related to using DNSSEC with regard to “DNS amplification attacks”? In a recent article at Microsoft’s Security Tech Center, Greg Lindsay dives into exactly that question.

First, though, he explains how a DNS amplification attack is a form of a Distributed Denial of Service (DDoS) attack that uses DNS queries combined with source address spoofing to send a large volume of traffic at a target system. He provides some examples of exactly how such an attack could be carried out.

Nicely, we get to see some examples of how DNSSEC will be implemented in the forthcoming Windows 8, both at the command line and in the GUI.  (I will be curious as Windows 8 rolls out to learn more about the “DNSSEC zone signing wizard” apparently available in the DNS Manager.)

He ends with a note that:

Signing a DNS zone and adding DNSSEC records to a DNS response increases the total size of a response, but does not increase the risk for DNS amplification past the existing limit placed on the server for UDP response size. 

Since the TCP conversation cannot be easily spoofed, these additional records do not inherently increase the severity of DNS amplification attacks.

and concludes with useful advice about how to help prevent DNSSEC amplification attacks.

I found it a very useful article regardless of whether you use Microsoft DNS servers or not.  Good to get this kind of information out there so that IT security teams can understand how to address and mitigate potential risks.

 

‹ Back

Disclaimer: Viewpoints expressed in this post are those of the author and may or may not reflect official Internet Society positions.

Related articles

Can We Really Blame DNSSEC for Larger-Volume DDoS attacks?
Deploy36022 February 2016

Can We Really Blame DNSSEC for Larger-Volume DDoS attacks?

In its security bulletin, Akamai’s Security Intelligence Response Team (SIRT) reported on abuse of DNS Security Extensions (DNSSEC) when mounting...

CircleID: DNS Security Should Be One Of Your Priorities (including DNSSEC)
Deploy36016 January 2014

CircleID: DNS Security Should Be One Of Your Priorities (including DNSSEC)

We were very pleased to see this recent post over at the CircleID site, "Domain Name System (DNS) Security Should...

No, DNSSEC Would NOT Help Prevent Microsoft's Seizure Of Domains
Deploy3602 July 2014

No, DNSSEC Would NOT Help Prevent Microsoft's Seizure Of Domains

With a great bit of the tech media's attention this week on Microsoft's court-sanctioned seizure of 23 domains from dynamic DNS...

Join the conversation with Internet Society members around the world