Listing of DNS vulnerabilities
I'm not sure that there's any single place that lists all of the vulnerabilities related to DNS, but here are some pointers you might use for further research.
General DNS Weaknesses
One broad category of DNS vulnerabilities would be at the protocol- and system-layer.
- The wikipedia article on DNS lists security issues with the system.
- A particular vulnerability is cache poisoning.
- You can learn about DNSSEC as a countermeasure against some of the weaknesses in the protocol.
- Here's a list of notes on DNS that point out several system-level weaknesses.
- DNS is described in numerous RFCs. (That list is not up to date. You can find newer RFCs by looking at the references section in a recent DNS RFC.) Modern RFCs include a "Security Considerations" section that discusses security aspects related to the topic of the RFC.
Specific Vulnerabilities in DNS Implementations
Another broad category of vulnerabilities are bugs in specific implementations of DNS. There have been so many bugs in ISC Bind, for example, that this attack vector is much more likely to be successful than an attack at the system level (this depends on the target and the environment, though).
- Search the National Vulnerabilities Database. (E.g. ISC Bind)
- Search at SecurityFocus
- Look for exploits in the exploit database.
- Metasploit and various other scan tools may be able to automatically detect vulnerabilities on unpatched servers.
Complex Interactions
Studying DNS in a vacuum isn't really enough, though. DNS interacts with other protocols in interesting ways.
For example, if your network doesn't protect against rogue DHCP servers, it may be possible for an attacker to run a DHCP server that hands out a lease that points to a rogue DNS server. The DNS server then returns whatever addresses the attacker wants -- substituting his own address for paypal.com
, or rerouting email, for example.