The Domain Name System (DNS) was established to make it easier to use the Internet. It translates domain names to the IP addresses used by network devices. DNS allows us to use http://www.google.com instead of http://184.108.40.206/ to initiate a search. In short, it is the Internet's primary directory service. But DNS is a double-edged sword largely because of the insecure nature of the DNS infrastructure. Your DNS infrastructure can be threatened by attackers.
In short, DNS is a distributed system anchored by the root name servers. Below these are DNS zones, which may consist of one or more domains (for example, google.com is a domain). A set of authoritative name servers are assigned to each DNS zone. An authoritative name server can either be a master server or a slave server. A master stores the original copies of zone records while a slave maintains copies of the master records.
For IPv4, DNS is most often tightly integrated with Dynamic Host Configuration Protocol (DHCP). DHCP provides IP addresses, DNS name servers, and other information to devices on a network, private or public. So the security of DNS also requires protection of DHCP using such techniques as DHCP snooping and limitation of DHCP relay.
Depending on IPv6 network configuration, DHCP may or may not provide DNS information. For example, stateless address autoconfiguration (SLAAC) does not require a DHCPv6 server. The Router Advertisement (RA) message provides the name of the DNS server or servers.
As the directory for the Internet, DNS servers must be available to all, black hat or white hat. The following attacks take advantage of this:
A black hat looks for an open DNS resolver and he is on his way to launching a distributed denial of service (DDoS) attack, either against the resolver itself or against other systems. The target receives a deluge of DNS replies from all over the Internet. DNS replies can be spoofed, or created with false information, to redirect users from legitimate sites to malicious websites.
A Distributed Denial of Service attack (DDoS) attack is the purposeful overload of a device, with the aim of making the device or a service provided by that device unavailable to users. A DDoS usually originates from large numbers of bots or zombie PCs which are under the control of one central machine called a botnet. These attacks have affected private business, governments, banks and end-user computers, and are a favored tool of cyber criminals.
The enormity of a DNS DDoS attack is mind-blowing. Look at the attack against Spamhaus in March 2013. It started with one DNS request with a bogus IP address, but quickly escalated for two reasons. First, the size of the response packet sent from the DNS resolver is often many times larger than that of the request packet. Second, the number of DNS replies generated escalates geometrically as more servers participate. Spamhaus reported that initially over 30,000 DNS resolvers participated in the torrent of DNS replies.
If a large amount of traffic is received from one IP, security can be configured to throttle packets from that IP address. In the Spamhaus incident, the attackers used a huge number of different IP addresses. As a result, the number of DNS replies from each individual IP address did not trigger throttling.
DNS can use TCP or UDP. Traffic over TCP port 53 often represents zone transfers to keep slave servers in sync with the master zone file. But intruders can use this mechanism to download the contents of a name server’s zone file. To prevent this, administrators should block zone transfer requests from any device that is not an authorized slave name server.
As any other port, port 53 can be used to tunnel unauthorized traffic. Be suspicious if Wireshark reports such packets as “malformed” or requesting “unknown operations.”
DNS can be configured to mitigate the common DNS security issues . According to the Open Resolver Project, “Open resolvers pose a significant threat to the global network infrastructure”. Keep your DNS server from being an open resolver, responding to DNS requests from any address on the Internet. Restrict in-house recursive servers to the IP subnets used by your company. (This includes customer ranges as well if you are operating an extranet.) Keep in mind, however, that many (if not most) DNS resolvers across the Internet are open resolvers, either because they have not been secured, or they are meant to be open to the public such as Comodo’s service. To test your IP address for open resolvers, see http://www.thinkbroadband.com/tools/dnscheck.html
You may also be interested in reading this article on reinforcing the spam filtering offered with Microsoft Office 365. READ NOW
Sign-up for email updates...