What is DNS Security? Why is it Important?
DNS, like Border Gateway protocol, Network Time Protocol etc, is one of the utility protocols that keep the Internet up and running. Hence securing such protocols is important, but it’s mostly seen that security teams tend to get a bit indifferent regarding the security of such utility protocols.
Well, if you ask us the question “What is DNS security?”, the answer would be straight and simple. It’s all about providing security against DNS exploits like DNS hijacking, DNS Spoofing and Denial of Service attacks.
Well, after having answered the question “What is DNS security?”, let’s move on to answering another very relevant question, namely “Why is DNS security important?”.
As we know, standard DNS queries are required for almost all kinds of web traffic and hence hackers do look for opportunities to carry out DNS exploits. Such attacks, which are quite common these days, would redirect inbound traffic to a website to a fake copy of the website, which could be used to collect sensitive data pertaining to users and which could also expose businesses to great security risks.
Common attacks involving DNS
So now, after answering the questions “What is DNS security?” and “Why is DNS security important”, let’s discuss some of the very common kinds of attacks that cybercriminals carry out by targeting and exploiting DNS servers…
DNS hijacking – A hacker redirects, using a malware or with unauthorized modification of a DNS server, queries to a different domain name server. Traffic is diverted to a malicious website or server, which can be used to gather sensitive personal data or to distribute malware.
DNS spoofing/ DNS cache poisoning – A hacker introduces forged DNS data into a resolver’s cache. The resolver thus returns an incorrect IP address for a domain and the user is taken to a malicious website that’s used to collect sensitive data or for malware infiltration.
DNS tunneling – A hacker encodes the data of other programs or protocols (SSH, TCP etc) in DNS queries and responses and uses the same to add data payload to any DNS, thereby gaining command and control or carrying out data exfiltration.
NXDOMAIN attack – A hacker inundates, using sophisticated tools, a DNS server with requests for records that don’t exist, thereby causing a denial-of-service for all legitimate traffic.
Phantom Domain attack – A hacker sets up a bunch of ‘phantom’ domain servers that either don’t respond or if at all they respond, respond slowly, to requests. The resolver then gets hit with a flood of requests to these phantom domains. Since the resolver gets tied up waiting for responses to these requests, it leads to slow performance and eventual denial-of-service.
Random subdomain attack – A hacker sends DNS queries for random non-existent subdomains of a website, thereby causing denial-of-service.
Adopting DNSSEC protocol helps protect against DNS threats
Adopting DNSSEC (DNS Security Extensions) protocol is one of the most effective ways to ensure protection against DNS attacks.
The DNS system has many design limitations, which help hackers hijack DNS lookups for all kinds of malicious purposes. For example, they could divert users to fraudulent websites and gather sensitive personal data or else distribute malware through these websites. The DNSSEC protocol helps in mitigating such security issues by digitally signing data so as to ensure its validity. This digital signing, done at all levels of the DNS lookup process, is almost akin to someone signing a document with a unique signature and helps ensure a secure lookup. DNSSEC works with other security measures like SSL/TLS and maintains backward compatibility. The digital signing is done using public-key cryptography and the correct DNSKEY record is authenticated via a chain of trust that travels all the way up to the root zone. Domain owners generate their own keys, which are uploaded using the DNS control panel at the domain-name registrar. The keys are then pushed via secDNS to the zone operator for signing and publishing in DNS.
Other ways to prevent DNS-based attacks
The other ways to prevent DNS-based attacks, besides DNSSEC, include over-provisioning of infrastructure (letting your nameserver handle several times more traffic than expected thereby making it impossible for a DDoS attack to overwhelm the server), anycast routing (allowing multiple servers to share a single IP address) and using a DNS firewall. (A DNS firewall, which sits between a user’s recursive resolver and the authoritative nameserver of a website or service that’s being accessed, performs different functions. It can shut down denial-of-service attacks by providing rate limiting services to the server and also can keep websites or servers up by serving DNS responses from the cache whenever there is a server downtime due to an attack).
Configuring DNS resolvers to provide security
DNS resolvers, on being configured to provide security to end-users, can offer features like content filtering (identifying and blocking spam), identifying malware infected websites, providing protection from botnets etc. DNS resolvers can very easily be configured to perform such functions by simply changing a single setting in their local routers.
Julia Sowells960 Posts
Julia Sowells has been a technology and security professional. For a decade of experience in technology, she has worked on dozens of large-scale enterprise security projects, and even writing technical articles and has worked as a technical editor for Rural Press Magazine. She now lives and works in New York, where she maintains her own consulting firm with her role as security consultant while continuing to write for Hacker Combat in her limited spare time.