What is a security weakness of the DNS protocol?
DNS data that is provided by name servers lacks support for data origin authentication and data integrity. This makes DNS vulnerable to man in the middle (MITM) attacks, as well as a range of other attacks.
I think maybe the intention of the question is to point out that authentication for a DNS server is not secure by default. You either need AD-integration or DNSSEC to secure authentication.
My worry is that this is an outdated question. Someone look this up in the study guide, please. C is correct, in that DNS can be setup to work without authentication. Normally, it doesn't anymore, unless someone's just acting like an idiot.
C. A DNS server does not authenticate the source of information.
The primary security weakness in the design of Domain Name System (DNS) is the lack of authentication of the source of information. This weakness can lead to various DNS-related attacks, such as DNS spoofing or cache poisoning, where malicious parties can provide false DNS information to redirect users to malicious websites or intercept their communications. DNSSEC (Domain Name System Security Extensions) is a protocol extension that addresses this weakness by providing data origin authentication and data integrity verification for DNS information.
DoS is not a protocol security design problem. Every protocol and every app is subject to DoS attacks. You can mitigate it with security controls.
But by nature DNS does not authenticate the source. So any host can query and get reply from DNS server. The protocol itself when was designed did not involve authenticate the source hosts.
B is more correct as C is not entirely true anymore.
Initially, lack of authentication and integrity was a security concern with the use of DNS, however, this has been addressed since the inception of DNSSEC.
DNSSEC adds two important features to the DNS protocol:
Data origin authentication allows a resolver to cryptographically verify that the data it received actually came from the zone where it believes the data originated.
Data integrity protection allows the resolver to know that the data hasn't been modified in transit since it was originally signed by the zone owner with the zone's private key.
https://www.icann.org/resources/pages/dnssec-what-is-it-why-important-2019-03-05-en
The Domain Name System (DNS) is vital to the Internet, providing a mechanism for resolving host names into Internet Protocol (IP) addresses. Insecure underlying protocols and lack of authentication and integrity checking of the information within the DNS threaten the proper functionality of the DNS.
https://blog.isc2.org/isc2_blog/2008/08/securing-dns-se.html
Answer is C
"Attackers typically take advantage of the plaintext communication between clients and the three types of DNS servers. Another popular attack strategy is to log in to a DNS provider's website with stolen credentials and redirect DNS records."
https://www.techtarget.com/searchsecurity/definition/DNS-attack
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
stickerbush1970
Highly Voted 2 years, 2 months agoklarak
6 months, 3 weeks agojackdryan
1 year, 6 months agoklarak
Most Recent 6 months, 3 weeks agoSoleandheel
11 months, 2 weeks ago[Removed]
11 months, 3 weeks agoRollingalx
1 year, 7 months agoDee83
1 year, 10 months agooudmaster
1 year, 11 months agoPeduk70
1 year, 11 months agordy4u
2 years, 1 month agomishu2513
2 years, 1 month agosec_007
2 years, 1 month agoJAckThePip
2 years, 1 month agoYanjun
2 years, 2 months ago