DNS and Security
Users of the public DNS data stored in both the Tier 1 and Tier 2 of the ENUM
service must be assured that they will receive valid information. Hence, the
core underlying security considerations for the DNS and ENUM service
focuses on add, change, and delete security at both the first and second levels
of the solution.
Clients who have authority to add, change, and delete entries in the ENUM
system must be assured that they:
■■ Are updating data in the correct server and the correct DNS zone
■■ Have uninterrupted access to the data
■■ Are allowed to update the data based on presenting valid credentials
Service administrators for both the first and second tiers of the ENUM ser-
vice have the responsibility to protect their physical and network resources as
well as to ensure the validity of the DNS data entered in the system.
Tier 2 of the ENUM architecture needs to have secure communications
between the PSTN telephone service provider that owns the phone numbers
and its subscribers. If, for example, a phone is disconnected or the number is
changed, a secure update must be made in the DNS.
When preparing to prevent security breaches, the following types of attacks
must be considered.
Impersonation
Clients attempting to add and update entries in an ENUM service must be able
to unequivocally prove their identity to the DNS system. Spoofing or misrep-
resentation of the identity of the originator of the information could allow
unauthorized updates to the database. Invalid or missing data could, in turn,
cause malicious redirection and denial of service, which are discussed later.
The update facility of each ENUM system is responsible for preventing imper-
sonation attacks.
Eavesdropping
If the privacy of the information that is being transmitted between a client
application and the ENUM service (first or second level) is compromised, then
registrant-sensitive information such as the registrant’s username and pass-
word, could be obtained by a malicious intruder. The DNS system must be
able to prevent eavesdropping attacks.
DNS and ENUM 77