10. Security Considerations
10.1 Overall Assessment
The authors believe this RR to not cause any new security problems. Some problems become more visible, though.
10.2 Port-Based Filtering Impact
10.2.1 Fine-Grained Port Specification
The ability to specify ports on a fine-grained basis obviously changes how a router can filter packets.
Implications:
-
Blocking External Services
- It becomes impossible to block internal clients from accessing specific external services
-
Unauthorized Services
- Slightly harder to block internal users from running unauthorized services
-
Operational Cooperation
- More important for the router operations and DNS operations personnel to cooperate
10.3 Denial of Service
There is no way a site can keep its hosts from being referenced as servers. This could lead to denial of service.
Attack Scenario:
- Attacker creates SRV records pointing to victim's hosts
- Large number of clients attempt to connect
- Victim experiences unwanted traffic
10.4 DNS Spoofing Extension
10.4.1 False Port Numbers
With SRV, DNS spoofers can supply false port numbers, as well as host names and addresses.
10.4.2 Risk Assessment
Because this vulnerability exists already, with names and addresses, this is not a new vulnerability, merely a slightly extended one, with little practical effect.
Analysis:
- The fundamental problem is DNS authenticity
- Adding port numbers extends the attack surface minimally
- The real solution is DNSSEC
10.5 Mitigation Strategies
Recommended Defenses:
-
DNSSEC
- Cryptographically sign DNS records
- Verify record authenticity
-
Application Layer Security
- Use TLS/SSL for service connections
- Verify server certificates
-
Network Segmentation
- Isolate internal services
- Implement defense in depth
-
Monitoring
- Log DNS queries
- Monitor connection attempts
- Detect anomalous patterns
Navigation
- Previous: 9. Changes from RFC 2052
- Next: 11. References