The document discusses DNS (Domain Name System) and how to secure it. It explains that DNS translates domain names to IP addresses, involving recursive queries to root nameservers and authoritative nameservers. Common DNS attacks are spoofing, poisoning, hijacking, amplification and flooding. Recommended security measures include DNS encryption using DNS over HTTPS and TLS, DNSSEC for response authentication, DNSCrypt for encryption and anonymity, redundant infrastructure for DDoS protection, and DNS firewalls.

1. How DNS works
&
How to secure it

2. Topics to be discussed
• What is DNS?

3. What is DNS?
The domain name system (DNS) is a naming database in
which internet domain names are located and translated into
Internet Protocol (IP) addresses. The domain name system
maps the name people use to locate a website to the IP
address that a computer uses to locate that website.

4. History
of
DNS

5. How DNS works?
The Internet’s DNS works much like a phone book by managing the mapping
between names and numbers. DNS servers translate requests for names into IP
addresses, controlling which server an end user will reach when they type a
domain name into their web browser. These requests are called queries.

6. DNS recursor
The recursive server takes DNS queries from an application, such as a web
browser. It's the first resource the user accesses and either provides the answer
to the query if it has it cached or accesses the next-level server if it doesn't. This
server may go through several iterations of querying before returning an answer
to the client

7. DNS root name server
This server is the first place the recursive server sends a query if it doesn't have
the answer cached. The root name server is an index of all the servers that will
have the information being queried. These servers are overseen by the Internet
Corporation for Assigned Names and Numbers, specifically a branch of ICANN
called the Internet Assigned Numbers Authority.

8. TLD name server
The root server directs the query based on the top-level domain -- the .com, .edu
or .org in the URL. This is a more specific part of the lookup.

9. Authoritative name server
The authoritative name server is the final checkpoint for the DNS query. These
servers know everything about a given domain and deal with the subdomain part
of the domain name. These servers contain DNS resource records with specific
information about a domain, such as the A record. They return the necessary
record to the recursive server to send back to the client and cache it closer to the
client for future lookups.

10. DNS resolution process (DNS lookup)
• A user types ‘example.com’ into a web browser and the query travels into the
Internet and is received by a DNS recursive resolver.
• The resolver then queries a DNS root nameserver
• The root server then responds to the resolver with the address of a Top Level
Domain (TLD) DNS server (such as .com or .net), which stores the
information for its domains. When searching for example.com, our request is
pointed toward the .com TLD.
• The resolver then makes a request to the .com TLD.

11. DNS resolution process (DNS lookup) cont.
• The TLD server then responds with the IP address of the domain’s
nameserver, example.com.
• Lastly, the recursive resolver sends a query to the domain’s nameserver.
• The IP address for example.com is then returned to the resolver from the
nameserver
• The DNS resolver then responds to the web browser with the IP address of
the domain requested initially

12. Types of DNS quaries
• Recursive query - In a recursive query, a DNS client requires that a DNS
server (typically a DNS recursive resolver) will respond to the client with
either the requested resource record or an error message if the resolver can't
find the record.
• Iterative query - in this situation the DNS client will allow a DNS server
to return the best answer it can. If the queried DNS server does not have a
match for the query name, it will return a referral to a DNS server
authoritative for a lower level of the domain namespace. The DNS client
will then make a query to the referral address. This process continues with
additional DNS servers down the query chain until either an error or
timeout occurs.

13. Types of DNS quaries cont.
• Non-recursive query - typically this will occur when a DNS resolver client
queries a DNS server for a record that it has access to either because it's
authoritative for the record or the record exists inside of its cache. Typically, a
DNS server will cache DNS records to prevent additional bandwidth
consumption and load on upstream servers.

14. DNS and Threats
• At first DNS architects were concerned about reliability and functionality, not
security.
• According to IDC’s 2021 Global DNS Threat Report, 87% of organizations
suffered a DNS attack in the past year
• With the Covid-19 new vulnerabilities and threats arised related to DNS.

15. DNS Spoofing Or Poisoning
• DNS Spoofing - the attacker tries to impersonate a legitimate service, for
example, by faking the IP associated with a domain.
• DNS Poisoning is the method attackers use to compromise and replace DNS
data with a malicious redirect. DNS Spoofing is the end result, where users
are redirected to the malicious website via a poisoned cache.

16. DNS Tunneling
• exploits DNS traffic’s permissions to pass through corporate firewalls. These
attacks use DNS traffic to carry data between malware and the attacker-
controlled data server.

17. DNS Hijacking
• DNS queries are incorrectly resolved in order to unexpectedly redirect users
to malicious sites.

18. DNS Amplification
• The idea is to amplify the traffic of vulnerable DNS servers to hide the exact
origin of an attack. The attacker forges the destination to be the victim’s
addresses, which can take down an entire infrastructure with minimum
resources.

19. DNS Flooding
• Flooding attacks take advantage of devices that work with a high bandwidth
to bomb DNS servers. The targeted servers cannot handle the gigantic volume
of queries. Such attacks are often associated with super-charged botnets (e.g.
Mirai), which can take down even the largest organizations.

20. How to Secure DNS?
Protecting against these attacks requires DNS security solutions. However, these
solutions must be carefully designed and implemented to ensure that they do not
negatively impact the performance of legitimate DNS requests. These security
solutions are,
• DNS Encryption
• DNSSEC
• DNSCrypt
• Redundant infrastructure
• DNS firewall

21. DNS Encryption
• DNS is an unencrypted and unauthenticated protocol. DNS over HTTPS
(DoH) and DNS over TLS (DoT) provide encryption and authentication

22. DNSSEC
• DNSSEC is a security protocol that signs responses from DNS servers. This
helps to protect against DNS hijacking and spoofing by authenticating the
data returned to the client.

23. DNSCrypt
• DNSCrypt is a protocol that encrypts, authenticates, and optionally
anonymizes communications between a DNS client and a DNS resolver.

24. Redundant infrastructure
• DoS attacks against DNS infrastructure commonly work by sending the target
DNS server more traffic than it can handle. By overprovisioning servers and
using anycast routing, traffic can be load-balanced between multiple servers.
This ensures availability if one server is overloaded or goes down.

25. DNS Firewall
• A DNS firewall sits between a domain’s authoritative nameserver and users’
recursive resolvers. The firewall can rate limit requests to protect against
DDoS attacks or filter traffic to block malicious or suspicious requests.