IT Baseline Protection Manual - The Information Warfare Site

Safeguard Catalogue - Communications Remarks
____________________________________________________________________ .........................................
S 5.59 Protection against DNS spoofing
Initiation responsibility: Head of IT Section, IT Security Management
Implementation responsibility: Administrators
A threat from DNS spoofing can arise when authentication is performed using
computer names. Host-based authentication, which means that permissions are
granted on the basis of computer names or IP addresses, should be protected
with one (or a combination) of the following measures:
1. IP addresses should be used, not host names.
2. If host names are used, they should all be resolved locally (entries in the
file /etc/hosts).
3. If host names are used and cannot be resolved locally, all names should be
resolved directly by a name server which acts as primary or secondary
name server, i.e. stores the names permanently instead of in a temporary
cache.
The first configuration provides the highest security, the third provides the
lowest security. The aim of these measures is to perform a mapping between
IP addresses and computer names in a secure environment. If name resolution
cannot be performed directly, i.e. if a temporary cache is made use of, then
host-based access should never be allowed via a host name.
____________________________________________________________________ .........................................
IT-Baseline Protection Manual: Oktober 2000