Skip to content
TitanHQ

DNS 101 - How DNS helps and hurts your network security!

Posted by C Jones on Thu, Apr 25th, 2019

The Domain Name System (DNS) was established to make it easier to use the Internet. It  translates domain names to the IP addresses used by network devices. DNS allows us to use http://www.google.com instead of  http://74.125.224.72/ to initiate a search. In short, it is the Internet's primary directory service. But DNS is a double-edged sword largely because of the insecure nature of the DNS infrastructure. Your DNS infrastructure can be threatened by attackers.

What is DNS?

In short, DNS is a distributed system anchored by the root name servers. Below these are DNS zones, which may consist of one or more domains (for example, google.com is a domain). A set of authoritative name servers are assigned to each DNS zone. An authoritative name server can either be a master server or a slave server. A master stores the original copies of zone records while a slave maintains copies of the master records.

DNS for IPv4

For IPv4, DNS is most often tightly integrated with Dynamic Host Configuration Protocol (DHCP). DHCP provides IP addresses, DNS name servers, and other information to devices on a network, private or public. So the security of DNS also requires protection of DHCP using such techniques as DHCP snooping and limitation of DHCP relay.

DNS for IPv6

Depending on IPv6 network configuration, DHCP may or may not provide DNS information. For example, stateless address autoconfiguration (SLAAC) does not require a DHCPv6 server. The Router Advertisement (RA) message provides the name of the DNS server or servers.

DNS Attacks

As the directory for the Internet, DNS servers must be available to all, black hat or white hat. The following attacks take advantage of this:

A black hat looks for an open DNS resolver and he is on his way to launching a distributed denial of service (DDoS) attack, either against the resolver itself or against other systems. The target receives a deluge of DNS replies from all over the Internet. DNS replies can be spoofed, or created with false information, to redirect users from legitimate sites to malicious websites.

 What is a DDoS attack

A Distributed Denial of Service attack (DDoS) attack is the purposeful overload of a device, with the aim of making the device or a service provided by that device unavailable to users. A DDoS usually originates from large numbers of bots or zombie PCs which are under the control of one central machine called a botnet. These attacks have affected private business, governments, banks and end-user computers, and are a favored tool of cyber criminals. 

Spamhaus attack

The enormity of a DNS DDoS attack is mind-blowing. Look at the attack against Spamhaus in March 2013. It started with one DNS request with a bogus IP address, but quickly escalated for two reasons. First, the size of the response packet sent from the DNS resolver is often many times larger than that of the request packet. Second, the number of DNS replies generated escalates geometrically as more servers participate. Spamhaus reported that initially over 30,000 DNS resolvers participated in the torrent of DNS replies.

If a large amount of traffic is received from one IP, security can be configured to throttle packets from that IP address. In the Spamhaus incident, the attackers used a huge number of different IP addresses. As a result, the number of DNS replies from each individual IP address did not trigger throttling.

Identifying malicious DNS traffic

DNS can use TCP or UDP. Traffic over TCP port 53 often represents zone transfers to keep slave servers in sync with the master zone file. But intruders can use this mechanism to download the contents of a name server’s zone file. To prevent this, administrators should block zone transfer requests from any device that is not an authorized slave name server.

As any other port, port 53 can be used to tunnel unauthorized traffic. Be suspicious if Wireshark reports such packets as “malformed” or requesting “unknown operations.”

Preventing a DNS attack

DNS can be configured to mitigate the common DNS security issues . According to the Open Resolver Project, “Open resolvers pose a significant threat to the global network infrastructure”.  Keep your DNS server from being an open resolver, responding to DNS requests from any address on the Internet. Restrict in-house recursive servers to the IP subnets used by your company. (This includes customer ranges as well if you are operating an extranet.)  Keep in mind, however, that many (if not most) DNS resolvers across the Internet are open resolvers, either because they have not been secured, or they are meant to be open to the public such as Comodo’s service. To test your IP address for open resolvers, see http://www.thinkbroadband.com/tools/dnscheck.html

Although there is no sure-fire way to preclude a DNS attack, the following measures can minimize the odds:

  • DNS blocking used for security against phishing and spam can help preclude DNS attacks. This mechanism makes it difficult for entities to locate specific domains or web sites on the Internet that are malicious sites.
  • Configure your authoritative DNS servers to use DNS response rate limiting.
  • DNS traffic should be throttled depending on the type of DNS packet. For example, a zone transfer reply would have a higher threshold than a reply for the name of the DNS server.
  • Work with your Internet provider to block or throttle traffic you do not want on your network, if possible.
  • Monitor your network, especially client IPs using the most bandwidth.
  • Closing open resolvers and using DNS blocking cannot protect against packet spoofing. Google declares that your site must be equipped to handle an increased load occasioned by an attack. There should be a cushion for bandwidth and CPU cycles, and the general ability to load balance. 

You may also be interested in reading this article on reinforcing the spam filtering offered with Microsoft Office 365. READ NOW

Protect your business with the newest “zero-day” threat protection and intelligence against phishing, business email compromise and zero-day attacks with PhishTitan.

Free Demo

Related Articles

Never Miss a Blog Post

Sign-up for email updates...

Get Your 14 Day Free Trial
TitanHQ

Talk to Our Email and DNS Security Team

Call us on UK/EU +44 203 808 5467

Contact Us