DNS (Domain Name System) is the phonebook of the internet that maps domain names to IP addresses. It works at the application layer and uses a hierarchy of servers including root servers, TLD (top-level domain) servers, and authoritative name servers to resolve DNS queries in a recursive or iterative fashion. DNS stores resource records with information like IP addresses, name servers, and canonical names. DNS security is important to prevent issues like brand damage, financial loss, and malware/credential theft from DNS attacks. DNSSEC helps secure DNS by implementing digital signing across the DNS hierarchy to validate response authenticity.
2. DNS AND DNS SECURITY:
What You Need to Know
DNS
Working of DNS
Hierarchy of DNS
DNS Query
DNS Records
DNS message Header Format
DNS Security
Impact
DNSSEC
3. DNS ( Domain Name System )
• Phonebook of Internet
• Servers working together to provide
IP address mapped to domain name
of a website
• Works at Application Layer
4. Working of DNS ...
When we type a web address for instance google.com, it checks :
• Resolver Cache
ipconfig/displaydns
ipconfig/deletedns
. Host File
C:WindowsSystem32Driversetchosts
sudo nano /etc/hosts
2. DNS configured under the Network Connection setting under the Control Panel
6. AUTHORITATIVE NAME
SERVER
stores the webiste's IP address
Full authority
Responsible for knowing everything
including IP Address
CMD Command
- nslookup
- set query=ns
- example.com (domain name)
ROOT SERVER:
13 set
globally located
letter.root-servers.net
letter : 'a' to 'm'
operated by: 12 organizations
info page : letter.root-servers.org
TLD NAME SERVER:
domains: .com, .net, .in, .edu
Stores address info for TLD Name
server
.com TLD name server
websites: .com extension
.net TLD name server
websites: .net extension
Hierarchy of DNS
7. Recursive query Flow
A request to a DNS Server : 'gimme what I need , and ask everyone you
want'
9. DNS Records
• Store Resources Records (RRs)
• Four Tuple: [Name, Value,Type, TTL]
• Type= A; Name: Hostname; Value: IP Address
- E.g. [star.c10r.facebook.com,31.13.72.33,A,17]
• Type=NS; Name: Domain; Value: host-name of the authoritative name
server
- E.g. [facebook.com, a.ns.facebook.com, NS, 172797]
• Type=CNAME; Name: HostName; Value: Canonical hostname
- E.g. [www.facebook.com, star.c10r.facebook.com, CName, 2362]
10. DNS Rules
• An authorative name server (for a given host) will always contain
type A recrd of that host
• A non-authoritative name server will contain a type NS record for
the domain and the type A record of the domain's authoratative
server
- E.g. [facebook.com, a.ns.facebook.com, NS, 172797]
- E.g. [facebook.com, 69.171.239.12, A, 172575]
13. Impact
• Brand Damage : Imagine the mess
that will happen in the company
when you employees and/or
customers are not able to access
your website due to an attack.
• Imagine if online banking system
was corrupted.
• Financial Loss : Imagine if your
comapany's payment site is
redirecting to take fake site and
payment is made in that site.
• Malware installation. This may be
done by hijacking DNS queries and
responding with malicious IP
addresses.
• Credential theft.
• Command & Control communication.
• Network footprinting.
• Data theft.
14.
15. DNSSEC
• DNS Security Extensions (DNSSEC) is a security protocol created to mitigate this
problem.
• It implements a hierarchical digital signing policy across all layers of DNS.
• DNSSEC creates a parent-child train of trust that travels all the way up to the
root zone. This chain of trust cannot be compromised at any layer of DNS, or
else the request will become open to an on-path attack.
16. DNSSEC Terminology
• Fingerprint - the hash/digest of a public key
• KSK - Key Signing key - used to sign or verify a domain's / zone's keys
• ZSK - Zone Signing Key - used to sign or verify a domain's / zone's non key
records
• Trust - to accept the validity and truthfulness of an entity with no need to
further validate
• RRSet - Resource Record Set - a set of records with the same type and same
domain/zone
• RRSig - Resource Record Signature - a record containing an RRSet's digital
signature
• DS Record - Delegation of Signing - a record containing the hash/digest of a
21. Vendor providing DNS Security
• Infoblox: DNS Traffic Control, DNS Firewall, Advance DNS Protection
• Nominum: DNS Blast, DNS Guardian, DNS Cloud
• BlueCat DNS: BlueCat DNS Integrity, BlueCat DNS Edge
• Cisco Umbrella: Cisco Umbrella