Which of the following is a PRIMARY security weakness in the design of Domain Name System (DNS)?
Which of the following is a PRIMARY security weakness in the design of Domain Name System (DNS)?
The primary security weakness in the design of the Domain Name System (DNS) is that it does not authenticate the source of information. This makes DNS vulnerable to attacks such as DNS spoofing or cache poisoning, where malicious entities can provide false DNS information to redirect users to harmful websites or intercept their communications. While DNSSEC (Domain Name System Security Extensions) offers mechanisms for data origin authentication and data integrity, the base design of DNS inherently lacks these securities.
What is a security weakness of the DNS protocol? DNS data that is provided by name servers lacks support for data origin authentication and data integrity. This makes DNS vulnerable to man in the middle (MITM) attacks, as well as a range of other attacks.
C is correct
I think maybe the intention of the question is to point out that authentication for a DNS server is not secure by default. You either need AD-integration or DNSSEC to secure authentication.
B is correct. https://learn.g2.com/dns-security
It should be C
B is more correct as C is not entirely true anymore. Initially, lack of authentication and integrity was a security concern with the use of DNS, however, this has been addressed since the inception of DNSSEC. DNSSEC adds two important features to the DNS protocol: Data origin authentication allows a resolver to cryptographically verify that the data it received actually came from the zone where it believes the data originated. Data integrity protection allows the resolver to know that the data hasn't been modified in transit since it was originally signed by the zone owner with the zone's private key. https://www.icann.org/resources/pages/dnssec-what-is-it-why-important-2019-03-05-en
Answer is C "Attackers typically take advantage of the plaintext communication between clients and the three types of DNS servers. Another popular attack strategy is to log in to a DNS provider's website with stolen credentials and redirect DNS records." https://www.techtarget.com/searchsecurity/definition/DNS-attack
I go with C. The key word in the question is design.
I think its B because I know dnssec
B is correct
The Domain Name System (DNS) is vital to the Internet, providing a mechanism for resolving host names into Internet Protocol (IP) addresses. Insecure underlying protocols and lack of authentication and integrity checking of the information within the DNS threaten the proper functionality of the DNS. https://blog.isc2.org/isc2_blog/2008/08/securing-dns-se.html
DoS is not a protocol security design problem. Every protocol and every app is subject to DoS attacks. You can mitigate it with security controls. But by nature DNS does not authenticate the source. So any host can query and get reply from DNS server. The protocol itself when was designed did not involve authenticate the source hosts.
C. A DNS server does not authenticate source of information.
C. A DNS server does not authenticate the source of information. The primary security weakness in the design of Domain Name System (DNS) is the lack of authentication of the source of information. This weakness can lead to various DNS-related attacks, such as DNS spoofing or cache poisoning, where malicious parties can provide false DNS information to redirect users to malicious websites or intercept their communications. DNSSEC (Domain Name System Security Extensions) is a protocol extension that addresses this weakness by providing data origin authentication and data integrity verification for DNS information.
My worry is that this is an outdated question. Someone look this up in the study guide, please. C is correct, in that DNS can be setup to work without authentication. Normally, it doesn't anymore, unless someone's just acting like an idiot.