Data Tampering
During the transmission of directory records, valid URIs could be replaced by
invalid URIs, in turn causing malicious redirection as discussed later. Because
a high percentage of security breaches (such as data tampering) can be caused
by “insiders,” physical and network security must be addressed. The widest
range of network and physical security features must protect servers. DNS
Security (DNSSEC) [21] may provide integrity and authentication of DNS
records in future deployments.Malicious Redirection
Malicious entries into the database will cause clients to retrieve wrong URIs
that point to fraudulent or damaging content. This can be accomplished in two
ways: first, by data tampering as discussed previously, and second, through
server impersonation whereby a malicious server is masquerading as a valid
ENUM server.Denial of Service
There are several ways that a client could be denied access to the desired net-
work resources, which may include access to the DNS data, as well as access to
physical DNS servers.
First, a malicious intruder could remove the URIs from the database, using
the data-tampering methods discussed previously, thus making it impossible
for the client to access the correct information.
Another way to cause a denial of service to customers is to flood the DNS
servers with enough data to prevent further communication with that server.
This is done by either downloading gigabytes of information from the server
all at once or by maliciously flooding the server with bogus requests.
And finally, by breaching the physical security of the servers by, for exam-
ple, cutting off electricity to the facility, clients would be denied access.
The security of the DNS responses as they route through the public Internet
must be considered. A third party could intercept and modify a DNS SRV
record by deleting or modifying URIs.
Extensive work on DNS security has been done, and more work is in
progress. Interested readers are referred to the IETF Working Group docu-
ments on DNS extensions [22].
■■ Example of a secure implementation for a DNS server—Employs two-factor
authentication that requires username and password, as well as a client
certificate, utilizing public-key cryptography along with the Secure
Socket Layer protocol (SSL). This approach addresses each of the secu-
rity concerns described earlier. First, it reduces the possibility of imper-
sonation by the parties who are attempting to update the DNS. The78 Chapter 4