Have you ever thought of accessing the internet through an IP address, such as 8.8.8.8? We normally access the internet through our human-readable domain name, such as www.google.com. Computers communicate with one another using numbers, but we as users aren't very good at interacting with numbers than computers (for instance, interacting with numbers such as 10110111.11101101.11011010.11101110 could get complex). To bridge this gap between humans and computers, there has to be a protocol that will solve this issue. This protocol is referred to as a Domain Name System or DNS. You can think of DNS as a distributed database on the internet that maps a human-readable domain name with its corresponding IP address.
In this post, we will discuss DNS security and why you should care about it. Here's a quick overview of what we are going to cover:
DNS security is the protection and prevention of the domain name system against vulnerability and attacks by cybercriminals.
When the internet was first created, it was mostly used for communication by a small number of people (e.g., the military and universities). But as popularity grew, more people began to use the internet for personal use. Because people can't readily memorize IP addresses, there was a need for an intuitive way to solve the problem. As a result, DNS was born. Its purpose was to make it simple to access the internet by supplying domain names that were mapped to their associated IP addresses.
When DNS protocol was created, little attention was paid to its security, which allowed the DNS traffic to move freely through network firewalls. By taking advantage of this vulnerability, malicious actors can create fake DNS records that lead users to fake websites or make them perform malicious actions. As a result, DNS security is an important focus.
To better understand what authoritative and recursive DNS are, let's look at this scenario.
Let's say you want to access a website using a domain name on your web browser. There is a resolver on your device (called stub resolver) that checks its database to know if it has the requested domain. If the requested domain is not in its record, the stub resolver sends a query to another resolver on the internet called the recursive resolver (or caching nameserver).
A recursive resolver is a nameserver usually provided by an internet service provider or other service providers, such as Google. It first checks its cache to know if it has the domain name in question. If it doesn't, it then sends a query on behalf of the user program (web browser) to an authoritative nameserver to obtain the IP address of the requested domain. It then returns the address to the user.
An authoritative nameserver is a system that takes a domain name and responds with information about the resources in that zone. It is where the IP address and the domain name of a particular website are located.
In a DoS attack, malicious actors overload an authoritative server with an excessive number of queries, making it impossible to use the server. The server then crashes because it is unable to respond to all of the queries. As a result, other users or servers that want to access that server will be denied the service.
DDoS is a more elaborate form of DoS. It involves using multiple systems to overload the targeted server with excessive queries. The malicious actor employs tens of thousands of computers to perform the task.
There are two main DDoS attack methodologies: amplification and reflection.
DNS amplification is a DDoS attack in which the attacker uses DNS server weaknesses to transform minor queries into much bigger payloads. The attacker then uses this increased traffic to bring the victim's servers down. It is done by flooding the server with short requests/queries that in turn will return large responses (e.g., querying for a Txt file on a DNS server).
Reflection DDoS attacks are attacks that use the same protocol in both directions. The attacker spoofs the victim's IP address and uses User Datagram protocol (UDP) to submit a request for information to servers that are known to respond to such requests. The server receives the message, then sends a response to the victim's IP address. The victim, according to the servers, was the one who made the initial request. All of the information from those servers accumulate, clogging the target's internet connection.
Cache poisoning, also known as data spoofing, is the process whereby a malicious actor injects a fake DNS entry into a DNS server. As a result, the user is sent to illicit resources (e.g., fake websites). Take, for example, a user who wants to access their financial websites. On the other side, an attacker has changed the DNS server so that when a user enters a domain name, they are redirected to the attacker's phony replica of the banking website. The attackers can then steal valuable information by prompting the user to input their credentials on the bogus websites.
Attackers use Fast Flux to conceal their identity by using rapidly changing sensitive information to hide the source of the attack. It comes in two forms: single flux (which includes changing IP addresses simultaneously) and double flux (which involves constantly changing IP addresses and domain names).
Because DNS data is intended to be public and distributed over the internet, it is important to protect the data's confidentiality. Integrity, source authentication, and availability are the three main security goals for DNS.
DNSSEC is a series of extensions designed by the Internet Engineering Task Force to secure data exchange in the DNS. DNSSEC ensures the authenticity and integrity of DNS data by preventing applications from receiving forged or false DNS data. It works by using digital signatures to encrypt DNS data. The recursive resolver can tell if the information received from the authoritative server is authenticated by inspecting the digital signature.
The DNSSEC functions in this way: Each DNS zone has its own set of private and public keys. The zone owner signs the data with the private key and creates a digital signature over it. Any recursive resolver that wants to access the data will also need to know the public key to validate the data's authenticity. The recursive resolvers then authenticate the digital signature's validity before returning the DNS data to the user. The recursive resolvers reject the data if the signature does not validate, and then return an error to the user.
Configure your DNS to be as secure as possible. You can do this by using a random port instead of the standard port for DNS (i.e., UDP port 53). You can also achieve this by randomizing the query ID and the case letters of the domain names that need to be resolved.
Add more security to recursive DNS servers. By using access control such as DNS filtering (the technique ISP uses to prevent its network from online threats), DNSSEC, and other means, you can safeguard the recursive server from unauthorized access.
Keep your resolver safe and secure. Don't expose resolvers to the public; instead, limit them to the users using the network. This will prevent malicious actors from spoofing (altering) the nameserver.
Integrate DNSSEC into your operations to validate the integrity of your data. DNSSEC improves the security of DNS protocol, preventing applications from receiving forged or false DNS data.
Keep your DNS servers up to date. If you are using third party DNS servers for your operations ( like Google DNS, Cloudflare), you won't need to worry about updating the DNS server. If you run your own nameserver, however, you'll need to update it from time to time to get new security features and improve the performance of your DNS operations.
Enable DNS filtering. DNS filtering is a way to isolate a user from malicious websites. It allows a system administrator to block users from sites that are known to contain malicious information. If a user wants to access that site, the DNS server disconnects all communication immediately.
This post was written by Ibrahim Ogunbiyi. Ibrahim is an entry-level IoT enthusiast and a machine learning engineer with skills in python, C++, data analysis, data visualization, and machine learning algorithms. He is also a technical author.
Write for Site24x7 is a special writing program that supports writers who create content for Site24x7 “Learn” portal. Get paid for your writing.
Apply Now