DNS and BIND, 4th Edition: DNS Security
This article is a link to the contents of DNS Security Chapter of the O'Reilly DNS book. Why should you care about DNS security? Why go to the trouble of securing a service that mostly maps names to addresses? Let us tell you a story. In July 1997, during two periods of several days, users around the Internet who typed www.internic.net into their web browsers thinking they were going to the InterNIC's web site instead ended up at a web site belonging to the AlterNIC. (The AlterNIC runs an alternate set of root name servers that delegate to additional top-level domains with names like med and porn.) How'd it happen? Eugene Kashpureff, then affiliated with the AlterNIC, had run a program to "poison" the caches of major name servers around the world, making them believe that www.internic.net's address was actually the address of the AlterNIC web server.
Kashpureff hadn't made any attempt to disguise what he had done; the web site that users reached was plainly the AlterNIC's, not the InterNIC's. But imagine someone poisoning your name server's cache to direct http://www.amazon.com/ or http://www.wellsfargo.com/ to his own web server, conveniently well outside local law enforcement jurisdiction. Further, imagine your users typing in their credit card numbers and expiration dates. Now you get the idea.
