ACSC programs and advice are being migrated to (see sidebar)

Domain Name System (DNS) Security Strategies

Download ACSC Protect: DNS Security Strategies (PDF), August 2012
First published 2012; updated August 2012


  1. This report provides information on Domain Name Service (DNS) security for Australian government users. Misconfigured DNS systems, known as resolvers, are vulnerable to a number of security exploits which could lead to data compromises. The report provides information on protecting DNS integrity and provides strategies to reduce the likelihood of DNS resolver compromise.
  2. The DSD Cyber Security Operations Centre (CSOC) recommends that agencies implement the recommendations in this document as a priority. Following the recommendations in the report will help to ensure that, through correct DNS system configuration and management, users are directed to genuine rather than malicious websites.
  3. DNS is a hierarchical naming system built on a distributed database for resources connected to the Internet. DNS maps domain names to their corresponding IP addresses and vice versa. For example, =


  1. DNS has no authentication mechanisms included by default. The lack of authentication increases the risk of falsified DNS information being stored on your agency’s DNS resolver by hosts with no authority to do so. These activities are known as DNS spoofing and DNS cache poisoning.
  2. DNS spoofing and cache poisoning can permit an cyber actor to map the internal network of your agency based on queries from the internal DNS resolver to upstream DNS resolvers. DNS cache poisoning can subvert client connections to provide false information, facilitating installation of malicious code or the extraction of sensitive information.
  3. DNS resolvers are typically configured to query upstream counterparts if they do not have an entry cached for the requested domain name. This is known as recursion, or caching. Recursion improves response times and performance by caching replies similar to the way in which history is cached by a web browser. Entries will remain in a DNS resolver’s cache depending on the time to live (TTL) value in the returned record. A common TTL value for DNS is 86400 seconds (24 hours).
  4. Configuring a recursive DNS resolver on your network to allow external access permits external parties to masquerade as your agency when performing DNS queries – perhaps to inappropriate sites.

Normal DNS resolution

  1. During the normal DNS resolution process, clients are provided with correct IP addresses for requested sites:

Figure 1: Normal DNS resolution process

Figure 1: The normal DNS resolution process.

  1. Client queries DNS for the IP address of
  2. DNS replies to client with IP address of;
  3. Client connects to; the IP address of

DNS spoofing

  1. A DNS spoofing attack subverts the normal DNS resolution process as follows:

Fig 2: DNS spoofing process

Figure 2: The normal DNS resolution process altered by DNS spoofing.

  1. Cyber actor adds or alters DNS record for on DNS resolver to point to instead of
  2. Client queries DNS for the IP address of
  3. DNS replies to client with IP address of
  4. Client connects to malicious site expecting it to be the genuine site for

DNS cache poisoning

  1. A DNS cache poisoning attack subverts the normal DNS resolution process as follows:

Fig 4: DNS cache poisoning

Figure 3: The normal DNS resolution process altered by DNS cache poisoning.

  1. Cyber actor queries a DNS resolver for the IP address of a malicious site.
  2. DNS resolver does not have the IP address and queries a malicious DNS resolver which has already established a relationship with the DNS resolver, see DNS spoofing above.
  3. Malicious DNS resolver provides requested IP address ( along with falsified IP addresses for additional sites (e.g (IP addresses may be different to that of malicious DNS resolver.)
  4. DNS resolver replies to cyber actor and caches false IP addresses.
  5. Client queries DNS for the IP address of
  6. DNS resolver replies to client with (cached) IP address of
  7. Client connects to expecting it to be the genuine website.

DNS cache poisoning with flooding

  1. A DNS cache poisoning attack with flooding subverts the normal DNS resolution process as follows:

Fig 4: DNS cache poisoning with flooding

Figure 4: The normal DNS resolution process altered by DNS cache poisoning (with flooding).

  1. Cyber actor queries DNS caching resolver for IP address of
  2. The DNS caching resolver queries the authoritative DNS server for
  3. The DNS caching resolver will accept the first response that matches the transaction ID and source port of its query to the authoritative server. The attacker floods the caching DNS resolver with fraudulent responses containing many different transaction IDs and source ports, hoping once of these will match.
  4. One of the attacker’s fraudulent responses is accepted. The DNS caching resolver responds to the attacker’s original query with the poisoned result.
  5. The authoritative DNS resolver responds to the DNS caching resolver. This response is ignored since the caching server already accepted a fraudulent response from the attacker.
  6. A client tries to reach and looks up the IP address of the site by querying the DNS caching server.
  7. The DNS caching server returns a result from its cache which is the poisoned result provided by the attacker in 3. This poisoned result will direct the client to a malicious site.


  1. Agencies should consider the following recommendations as part of their cyber security risk assessment process.

Apply the latest patches available for your DNS resolver

  1. DNS resolvers should have the latest security patches applied, as this reduces the opportunities for a cyber actor to leverage known vulnerabilities to exploit systems.

Separate authorative and recursive DNS resolvers

  1. Agencies should ensure that published authorative DNS servers, which are used by external parties to resolve, do not also resolve external domain names, such as The public authorative DNS resolver should only resolve hosts that your agency is responsible for and wishes to advertise.
  2. Published agency DNS servers should not be configured to allow recursion. DNS severs configured in this manner permit external parties to masquerade as your agency when performing DNS queries – perhaps to inappropriate sites.

Limit zone transfers

  1. Zone transfers permit all DNS information to be listed for a given domain and are a mechanism used by primary and secondary DNS resolvers to update DNS information. The default behaviour for DNS zone transfer permits any host to request and receive a full zone transfer for a domain.
  2. Allowing open DNS zone transfers is akin to an anonymous caller requesting and receiving your agency’s complete telephone and address book. Information leakage from a seemingly innocent zone transfer could expose internal network topology that is useful to a cyber actor to do further harm.

Randomise source ports and transaction identifiers

  1. Recursive (caching) DNS resolvers are used by internal clients to resolve external addresses. They should use random source ports and random transaction IDs to reduce the likelihood of a cyber actor successfully guessing and faking a response designed to poison the cache of your DNS resolver.
  2. Avoid using routers, firewalls and other gateway devices that perform Network Address Translation (NAT) or, more specifically, Port Address Translation (PAT) on DNS traffic. PAT devices often rewrite source ports to track connection state, thus negating the effect of any randomisation implemented by DNS.


  1. Agencies should consider outsourcing DNS management as an available risk treatment option once they have conducted an IT security risk assessment. DNS can be inherently complex and requires considerable effort to maintain securely. Services are commercially available and can offer advantages such as business continuity and increases to service availability and security of DNS resolvers.


Contact details

  1. Organisations or individuals with questions regarding this advice can contact the ACSC by emailing or calling 1300 CYBER1 (1300 292 371).

In August 2018 ACSC launched a new website,, to reflect its new organisation.

Cyber security programs and advice are being migrated to Information and advice on this site remains current.

Reports help the ACSC to develop a better understanding of the threat environment and will assist other organisations who are also at risk.

Cyber security incident reports are also used in aggregate for developing new defensive policies, procedures, techniques and training measures to help prevent future incidents.

Information for Australian businesses
Information for individual Australian citizens
Information for Federal, State and Local government agencies