What are the security risks related to using DNSSEC with regard to “DNS amplification attacks”? In a recent article at Microsoft’s Security Tech Center, Greg Lindsay dives into exactly that question.
First, though, he explains how a DNS amplification attack is a form of a Distributed Denial of Service (DDoS) attack that uses DNS queries combined with source address spoofing to send a large volume of traffic at a target system. He provides some examples of exactly how such an attack could be carried out.
Nicely, we get to see some examples of how DNSSEC will be implemented in the forthcoming Windows 8, both at the command line and in the GUI. (I will be curious as Windows 8 rolls out to learn more about the “DNSSEC zone signing wizard” apparently available in the DNS Manager.)
He ends with a note that:
Signing a DNS zone and adding DNSSEC records to a DNS response increases the total size of a response, but does not increase the risk for DNS amplification past the existing limit placed on the server for UDP response size.
Since the TCP conversation cannot be easily spoofed, these additional records do not inherently increase the severity of DNS amplification attacks.
and concludes with useful advice about how to help prevent DNSSEC amplification attacks.
I found it a very useful article regardless of whether you use Microsoft DNS servers or not. Good to get this kind of information out there so that IT security teams can understand how to address and mitigate potential risks.