What Is DNS Security?dns-security
What Is DNS Security?
DNS security is the practice of protecting DNS infrastructure from cyberattacks in order to maintain fast and reliable performance. An effective DNS security strategy incorporates multiple overlapping defenses, including setting up redundant DNS servers, applying security protocols such as DNSSEC, and requiring rigorous DNS logging.
Why Is DNS Security Important?
Like many Internet protocols, the DNS system was not designed with security in mind and contains several design limitations. These limitations, combined with advances in technology, make DNS servers vulnerable to a wide range of attacks, including spoofing, amplification, DoS (denial of service), or the interception of private personal information. And because DNS is an integral part of most Internet requests, it can be a prime target for attacks.
In addition, DNS attacks are frequently deployed in conjunction with other cyberattacks to distract security teams from the true target. An organization needs to be able to mitigate DNS attacks quickly so as not to be too preoccupied to deal with simultaneous attacks through other vectors.
What Are Some Common Attacks That Involve DNS?
Attackers have found a number of ways to target and exploit DNS servers. Here are some of the most common:
DNS Spoofing / Cache Poisoning: This is an attack where forged DNS data is introduced into the cache of a DNS resolver, causing the resolver to return an incorrect IP address for a domain. Instead of going to the correct website, traffic can be diverted to a malicious machine or anywhere else the attacker desires; this is often a replica of the original site used for malicious purposes such as distributing malware or collecting login information.
DNS Tunneling: This attack uses other protocols to tunnel through DNS queries and responses. Attackers can use SSH, TCP, or HTTP to pass malware or stolen information into DNS queries, which most firewalls are unable to detect.
DNS Hijacking: In a DNS hijacking attack, the attacker redirects queries to a different domain name server. This can be done either through malware or through unauthorized modification of a DNS server. Although the result is similar to that of DNS spoofing, this is a fundamentally different attack because it targets the website's DNS record on the name server rather than the resolver's cache.
dns-hijacking
NXDOMAIN Attack: This is a type of DNS flood attack where the attacker overwhelms a DNS server with requests, asking for records that do not exist, in an attempt to cause a denial of service for legitimate traffic. This can be accomplished using sophisticated attack tools that can automatically generate unique subdomains for each request. NXDOMAIN attacks can also target a recursive resolver with the goal of filling the resolver's cache with junk requests.
Phantom Domain Attack: A phantom domain attack has a result similar to an NXDOMAIN attack on a DNS resolver. The attacker sets up a bunch of "phantom" domain servers that either respond to requests very slowly or not at all. The resolver is then hit with a flood of requests to these domains and the resolver gets tied up waiting for responses, resulting in slow performance and denial of service.
Therefore:
Random Subdomain Attack: In this case, the attacker sends DNS queries for several random, non-existent subdomains of one legitimate site. The goal is to create a denial of service for the authoritative name server for the domain, making it impossible to look up the website from the name server. As a side effect, the ISP serving the attacker may also be affected, as their recursive resolver's cache will be loaded with bad requests.
Domain Lock-Up Attack: Attackers orchestrate this type of attack by setting up special domains and resolvers to establish TCP connections with legitimate resolvers. When the targeted resolvers send requests, these domains send back slow streams of random packets, tying up the resolver's resources.
Botnet-Based CPE Attack: These attacks are carried out using CPE (Customer Premise Equipment) devices — these are devices provided by service providers for their customers to use, such as modems, routers, cable boxes, and so on. Attackers compromise CPEs, and the devices become part of a botnet used to carry out random subdomain attacks against a single site or domain.
What Is DNSSEC?
DNS Security Extensions (DNSSEC) is a security protocol created to mitigate this problem.
DNSSEC protects against attacks by digitally signing data to help ensure its validity.
In order to ensure secure lookup, signing must occur at every level in the DNS lookup process.
This signing process is similar to someone signing a legal document with a pen; that person signs with a unique signature that no one else can create,
and a court expert can look at that signature and verify that the document was signed
by that person. These digital signatures ensure that data has not been tampered with.
DNSSEC implements a hierarchical digital signing policy across all layers of DNS. For example,
in the case of a lookup for “google.com”, a root DNS server would sign a key for the .COM nameserver,
then the .COM nameserver would sign a key for google.com's authoritative nameserver.
While improved security is always preferred, DNSSEC is designed to be backward-compatible to ensure that traditional DNS lookups still resolve correctly,
albeit without the additional security. DNSSEC is intended to work alongside other security measures such as SSL/TLS as part of a comprehensive internet security strategy.
DNSSEC creates a parent-child chain of trust that travels all the way up to the root zone.
This chain of trust cannot be compromised at any layer of DNS,
otherwise the request would become open to an on-path attack.
To close the chain of trust, the root zone itself must be validated (proven to be free of tampering or fraud),
and this is actually done using human intervention. Interestingly,
in what is known as a Root Zone Signing Ceremony,
selected individuals from around the world meet to sign the root DNSKEY RR set in a public and audited manner.
What Are Other Ways to Protect Against DNS-Based Attacks?
In addition to DNSSEC, a DNS zone operator can take further steps to secure their servers.
Over-provisioning infrastructure is one simple strategy for overcoming DDoS attacks.
Simply put
If your name servers can handle several multiples more traffic than you normally expect,
it is harder for a volume-based attack to overwhelm your server.
Organizations can achieve this by increasing the overall traffic capacity of their DNS server, by creating multiple redundant DNS servers,
and by using load balancing to route DNS requests to healthy servers when one starts performing poorly.
Yet another strategy is a DNS firewall.
What Is a DNS Firewall?
A DNS firewall is a tool that can provide a number of security and performance services for DNS servers.
A DNS firewall sits between a user's recursive resolver and the authoritative name server of the website or service they are trying to reach.
The firewall can provide rate limiting services to stop attackers who are trying to overwhelm the server. If the server experiences downtime as a result of an attack or for any other reason,
the DNS firewall can keep the operator's site or service up
by serving DNS responses from cache.
In addition to its security features, a DNS firewall can also
provide performance solutions such as faster DNS lookups and reduced bandwidth costs for the DNS operator.
DNS as a Security Tool
DNS resolvers can also be configured to provide security solutions for end users (people browsing the Internet).
Some DNS resolvers provide features such as content filtering, which can block sites known for distributing malware and spam, and botnet protection, which blocks communication with known botnet networks. Many of these secured DNS resolvers are free to use, and a user can switch to one of these recursive DNS services by changing a single setting in their local router.
Are DNS Queries Private?
Another important DNS security issue is user privacy. DNS queries are not encrypted. Even if users use a DNS resolver such as 1.1.1.1 that does not track their activity, DNS queries travel across the Internet in plain text. This means that anyone who intercepts the query can see which websites the user is visiting.
This lack of privacy has an impact on security, and in some cases, on human rights; if DNS queries are not private, it becomes easy for governments to censor the Internet and for attackers to track users' online behavior.
DNS over TLS and DNS over HTTPS are two standards for encrypting DNS queries.
In order to prevent outside parties from being able to read them.
