Any way I can correct DNS spoofing against our domain

domain-name-system spoofing

Solution 1:

Sounds like you need to implement DNSSEC.

Since you haven't given many details about your setup, it's difficult to recommend a software solution, but googling DNSSEC with your current setup should yield you some good tutorials on how to do it.

Solution 2:

Are you absolutely certain that this is a cache poisoning attack?

Every widely used recursive DNS server on the internet has long since implemented a fix to CVE-2008-1447, making the kind of wide-scale poisoning you're describing nearly impossible.

Not completely impossible, since the source port randomization just makes the attack take 2^16 times more attempts to successfully poison. Landing an attack on multiple authoritative name servers with high transaction volumes, all at the same time? That's quite the feat. Correct me if I'm wrong, but your domain probably isn't significant enough on the internet to be the best target for that attack; attackers with that capability would just hit google.com instead.

The far more reasonable or likely explanation is a change to the delegation for the domain, which the OpenDNS servers haven't picked up on yet due to caching. Has the domain expired, or has someone with access to the registrar made an ill-advised change to the name server delegation settings?

Solution 3:

Change your TLD? That's extreme. What's your TTL? Your kind of at the mercy of other DNS servers expiring your records before any of them bother looking up the new, non-cached, entries. If you set your A records to a week, no one will see the changes for a week if they are cached. I always set my A records to the lowest setting for situations like this, or use CloudFlare which lets me change them on the fly.

4.2.2.2 and 4.2.2.1 are Level 3's DNS servers for their network, they are not really supposed to be used by the internet at large. Thus they are not representative of the Internet DNS infrastructure as a whole. I use DNSStuff.com to do all of my testing/lookups as they are non-cached results.

Also, instead of OpenDNS, it's easier to type Google's (8.8.8.8, 8.8.4.4), irregardless of your personal beliefs between the two.

Solution 4:

The DNSSEC recommendation is hasty. You risk to solve the wrong problem and hook yourself with quite a maintenance burden.

Check through these questions first:

  • What evidence do you have that poisoning is your problem?
  • At which DNS resolvers do you see mangled resolution?
    • multiple resolvers?
    • from different ISPs? -> unlikely to be poisoning
    • to which bogus IPs do they map? All the same? -> probable problem on your authority
  • What SOA information for your "poisoned" zones do you receive at the poisoned resolvers?

DNS cache poisoning is less common nowadays. If the negligible chances to incur it bother you, you are better off implementing DNSCurve. Here's how it compares with DNSSEC:

  • the CurveDNS proxy takes 10 minutes to install
  • once installed, maintenance at your authoritative DNS is unchanged
  • you are not affected by amplification attacks
  • it is actually deployed in the large by DNS users (OpenDNS)

Related

Get varnishlog to log only 503 errors into file
postfix and anvil- rate limiting?
How do I do big integers in Fortran?
Enable a program in Windows to run multiple times?
How do I export variables for all users in Linux?
With the Supermicro Embedded BMC, is it possible to connect to Serial Over Lan via SSH?
Sparing level on HP EVA 4000
Reading streams from java Runtime.exec
How to install php-xml and php-mbstring on PHP 5.4.9-4?
Simple L2TP/IPsec server not working (openswan, xl2tpd, Ubuntu, Windows)
how to pass parameters to puppet modules?
My Footer Floats