Recommended
More Related Content
Similar to How DNS works and How to secure it: An Introduction
Similar to How DNS works and How to secure it: An Introduction (20)
Recently uploaded
Recently uploaded (20)
How DNS works and How to secure it: An Introduction
- 1. How DNS works & How to secure it
- 2. Topics to be discussed • What is DNS?
- 3. What is DNS? The domain name system (DNS) is a naming database in which internet domain names are located and translated into Internet Protocol (IP) addresses. The domain name system maps the name people use to locate a website to the IP address that a computer uses to locate that website.
- 5. How DNS works? The Internet’s DNS works much like a phone book by managing the mapping between names and numbers. DNS servers translate requests for names into IP addresses, controlling which server an end user will reach when they type a domain name into their web browser. These requests are called queries.
- 6. DNS recursor The recursive server takes DNS queries from an application, such as a web browser. It's the first resource the user accesses and either provides the answer to the query if it has it cached or accesses the next-level server if it doesn't. This server may go through several iterations of querying before returning an answer to the client
- 7. DNS root name server This server is the first place the recursive server sends a query if it doesn't have the answer cached. The root name server is an index of all the servers that will have the information being queried. These servers are overseen by the Internet Corporation for Assigned Names and Numbers, specifically a branch of ICANN called the Internet Assigned Numbers Authority.
- 8. TLD name server The root server directs the query based on the top-level domain -- the .com, .edu or .org in the URL. This is a more specific part of the lookup.
- 9. Authoritative name server The authoritative name server is the final checkpoint for the DNS query. These servers know everything about a given domain and deal with the subdomain part of the domain name. These servers contain DNS resource records with specific information about a domain, such as the A record. They return the necessary record to the recursive server to send back to the client and cache it closer to the client for future lookups.
- 10. DNS resolution process (DNS lookup) • A user types ‘example.com’ into a web browser and the query travels into the Internet and is received by a DNS recursive resolver. • The resolver then queries a DNS root nameserver • The root server then responds to the resolver with the address of a Top Level Domain (TLD) DNS server (such as .com or .net), which stores the information for its domains. When searching for example.com, our request is pointed toward the .com TLD. • The resolver then makes a request to the .com TLD.
- 11. DNS resolution process (DNS lookup) cont. • The TLD server then responds with the IP address of the domain’s nameserver, example.com. • Lastly, the recursive resolver sends a query to the domain’s nameserver. • The IP address for example.com is then returned to the resolver from the nameserver • The DNS resolver then responds to the web browser with the IP address of the domain requested initially
- 12. Types of DNS quaries • Recursive query - In a recursive query, a DNS client requires that a DNS server (typically a DNS recursive resolver) will respond to the client with either the requested resource record or an error message if the resolver can't find the record. • Iterative query - in this situation the DNS client will allow a DNS server to return the best answer it can. If the queried DNS server does not have a match for the query name, it will return a referral to a DNS server authoritative for a lower level of the domain namespace. The DNS client will then make a query to the referral address. This process continues with additional DNS servers down the query chain until either an error or timeout occurs.
- 13. Types of DNS quaries cont. • Non-recursive query - typically this will occur when a DNS resolver client queries a DNS server for a record that it has access to either because it's authoritative for the record or the record exists inside of its cache. Typically, a DNS server will cache DNS records to prevent additional bandwidth consumption and load on upstream servers.
- 14. DNS and Threats • At first DNS architects were concerned about reliability and functionality, not security. • According to IDC’s 2021 Global DNS Threat Report, 87% of organizations suffered a DNS attack in the past year • With the Covid-19 new vulnerabilities and threats arised related to DNS.
- 15. DNS Spoofing Or Poisoning • DNS Spoofing - the attacker tries to impersonate a legitimate service, for example, by faking the IP associated with a domain. • DNS Poisoning is the method attackers use to compromise and replace DNS data with a malicious redirect. DNS Spoofing is the end result, where users are redirected to the malicious website via a poisoned cache.
- 16. DNS Tunneling • exploits DNS traffic’s permissions to pass through corporate firewalls. These attacks use DNS traffic to carry data between malware and the attacker- controlled data server.
- 17. DNS Hijacking • DNS queries are incorrectly resolved in order to unexpectedly redirect users to malicious sites.
- 18. DNS Amplification • The idea is to amplify the traffic of vulnerable DNS servers to hide the exact origin of an attack. The attacker forges the destination to be the victim’s addresses, which can take down an entire infrastructure with minimum resources.
- 19. DNS Flooding • Flooding attacks take advantage of devices that work with a high bandwidth to bomb DNS servers. The targeted servers cannot handle the gigantic volume of queries. Such attacks are often associated with super-charged botnets (e.g. Mirai), which can take down even the largest organizations.
- 20. How to Secure DNS? Protecting against these attacks requires DNS security solutions. However, these solutions must be carefully designed and implemented to ensure that they do not negatively impact the performance of legitimate DNS requests. These security solutions are, • DNS Encryption • DNSSEC • DNSCrypt • Redundant infrastructure • DNS firewall
- 21. DNS Encryption • DNS is an unencrypted and unauthenticated protocol. DNS over HTTPS (DoH) and DNS over TLS (DoT) provide encryption and authentication
- 22. DNSSEC • DNSSEC is a security protocol that signs responses from DNS servers. This helps to protect against DNS hijacking and spoofing by authenticating the data returned to the client.
- 23. DNSCrypt • DNSCrypt is a protocol that encrypts, authenticates, and optionally anonymizes communications between a DNS client and a DNS resolver.
- 24. Redundant infrastructure • DoS attacks against DNS infrastructure commonly work by sending the target DNS server more traffic than it can handle. By overprovisioning servers and using anycast routing, traffic can be load-balanced between multiple servers. This ensures availability if one server is overloaded or goes down.
- 25. DNS Firewall • A DNS firewall sits between a domain’s authoritative nameserver and users’ recursive resolvers. The firewall can rate limit requests to protect against DDoS attacks or filter traffic to block malicious or suspicious requests.
Editor's Notes
- In the world of networking, computers do not represent by names like humans do, they represent by numbers because that is how computers and other similar devices talk and identify with each other over a network, which is by using numbers such as IP addresses. Humans on the other hand are accustomed to using names instead of numbers, whether is talking directly to another person or identifying a country, place, or things, humans identify with names instead of numbers. So in order to bridge the communication gap between computers and humans and make the communication of a lot easier networking engineers developed DNS. DNS eliminates the need of remembering IP addresses. If we wanted to go to a certain website you would open up your web browser and type in domain name of that website. Let us use google.com. Now technically you really do not have to type in google.com to retrieve Google web page, you can just type in IP address instead if you already know what google’s IP address is, but since we are not accustomed to memorizing and dealing with numbers, especially when there are 342 million registered domains on Internet, we can just type in domain name instead and let DNS convert it to an IP address for us. Web browsing and most other internet activities rely on DNS to quickly provide the information necessary to connect users to remote hosts. DNS mapping is distributed throughout the internet in a hierarchy of authority. Access providers and enterprises, as well as governments, universities and other organizations, typically have their own assigned ranges of IP addresses and an assigned domain name. They also typically run DNS servers to manage the mapping of those names to those addresses. Most Uniform Resource Locators (URLs) are built around the domain name of the web server that takes client requests.
- In the 1970s, all hostnames and their corresponding numerical addresses were contained in a single file called "HOSTS.TXT" and were maintained by Elizabeth Feinler from the Stanford Research Institute. This was known as the Advanced Research Projects Agency Network, or ARPANET, directory, and Feinler manually assigned numerical addresses to domain names. Adding a new name to the directory required a phone call to Feinler. By the 1980s, this system became too inefficient to maintain. In 1983, the domain name system was created to distribute what was initially one centralized file with every address in it across multiple servers and locations. In 1986, IETF listed DNS as one of the original internet standards. That organization published two documents -- RFC 1034 and RFC 1035 -- that described the DNS protocol and outlined the types of data it was able to carry. Since then, DNS has been consistently updated and expanded to accommodate the increasingly complex internet. Today, large information technology companies, like Microsoft and Google, offer their own DNS hosting services.
- when you want to find a number, you do not look up number first, you look up name first then it will give you the number When your computer wants to find the IP address associated with a domain name, it first makes its DNS query via a DNS client, typically in a Web browser. The query then goes to a recursive DNS server, also known as a recursive resolver. A recursive resolver is typically operated by an Internet Service Providers (ISP), and it knows which other DNS servers it needs to ask to resolve the name of a site with its IP address. The servers that actually have the needed information are called authoritative name servers. DNS is organized in a hierarchy. An initial DNS query for an IP address is made to a recursive resolver. This search first leads to a root server, which has information on top-level domain server stores address information for top-level domains such as .com and .net, .org, and so on. This particular TLD server manages .com domain which google.com is a part of. So when a TLD server receives query for IP address for google.com, TLD server is not going to know what IP addresses for google.com. So the TLD will direct resolver to next and final level, which are authoritative name servers. So once again the resolver will now ask authoritative name server for IP address for google.com. Authoritative name server or servers are responsible for knowing everything about domain which includes IP address. After getting that IP address that request then goes back to the DNS client device so it can visit the appropriate website. All of this takes mere milliseconds.
- There are several server types involved in completing a DNS resolution. DNS recursor is also known as recursive resolver. The recursor can be thought of as a librarian who is asked to go find a particular book somewhere in a library. The DNS recursor is a server designed to receive queries from client machines through applications such as web browsers. Typically the recursor is then responsible for making additional requests in order to satisfy the client’s DNS query. During this process, the recursive resolver will cache information received from authoritative name servers. When a client requests the IP address of a domain name that was recently requested by another client, the resolver can circumvent the process of communicating with the nameservers, and just deliver the client the requested record from its cache.
- The root server is the first step in translating (resolving) human readable host names into IP addresses. It can be thought of like an index in a library that points to different racks of books. A root server accepts a recursive resolver’s query which includes a domain name, and the root nameserver responds by directing the recursive resolver to a TLD nameserver, based on the extension of that domain (.com, .net, .org, etc.). The root nameservers are overseen by a nonprofit organization called the Internet Corporation for Assigned Names and Numbers (ICANN). There are 13 root servers worldwide.
- The top level domain server can be thought of as a specific rack of books in a library. This nameserver is the next step in the search for a specific IP address, and it hosts the last portion of a hostname. A TLD nameserver maintains information for all the domain names that share a common domain extension, such as .com, .net, or whatever comes after the last dot in a url. For example, a .com TLD nameserver contains information for every website that ends in ‘.com’. If a user was searching for google.com, after receiving a response from a root nameserver, the recursive resolver would then send a query to a .com TLD nameserver, which would respond by pointing to the authoritative nameserver for that domain.
- This final nameserver can be thought of as a dictionary on a rack of books, in which a specific name can be translated into its definition. The authoritative nameserver is the last stop in the nameserver query. If the authoritative name server has access to the requested record, it will return the IP address for the requested hostname back to the DNS Recursor (the librarian) that made the initial request.
- As a result, DNS servers have always been vulnerable to a broad spectrum of attacks, including spoofing, amplification, and denial-of-service. Many of these attacks had serious consequences. several new DNS-related vulnerabilities have recently been discovered
- the attacker manages to fill the DNS cache with false information, so the DNS query will redirect users to a rogue IP. It’s technically not possible for DNS resolvers to check the data in the cache. That’s why the false information remains in the cache until the expiration, also known as TTL or time to live. Even if this attack is only temporary by definition, it’s often enough to inject malware successfully. Most of the time, the hackers redirect users to a copy of the legitimate website to steal credentials or banking data. While there is some evidence of counterfeit websites users can spot, it’s sometimes pretty hard to detect, for example, when it’s an exact clone of the original app.
- This attack relies on a client-server architecture and consists of using other protocols such as TCP or SSH to tunnel malware through DNS requests. The attacker will typically register a domain name and point it to his server that hosts malware. Hackers have been using this technique for a long time, as it is particularly efficient to connect a command-and-control server to an infected machine. There is no firewall that can block these DNS requests.
- In this case, the attacker redirects all queries to another domain name server, for example, after gaining unauthorized access to modify DNS records. Unlike with DNS poisoning attacks, the DNS cache is not involved. There are different approaches and techniques for DNS hijacking. For example, the hacker can modify the local DNS settings or compromise the router.
- takes advantage of services that communicate over UDP and have responses that are much larger than the corresponding request. These factors allow an attacker to send requests to the service and have their much larger responses sent to the target. A DNS amplification attack floods the target with DNS responses, consuming bandwidth and overwhelming target servers.
- DNS flood attacks involve using the DNS protocol to carry out a user datagram protocol (UDP) flood. Threat actors deploy valid (but spoofed) DNS request packets at an extremely high packet rate and then create a massive group of source IP addresses. Since the requests look valid, the DNS servers of the target start responding to all requests. Next, the DNS server can become overwhelmed by the massive amount of requests. A DNS attack requires a great amount of network resources, which tire out the targeted DNS infrastructure until it is taken offline. As a result, the target’s internet access also goes down.
- DNS is prone to MITM (man-in-the-middle attacks). For example, anyone who manages to get into a Wi-Fi or a corporate network can mess with DNS queries and responses. encryption can harden access to DNS messages. While it’s not the exact same concept, it’s a bit like migrating from HTTP to HTTPS for a website. DoH allows executing DNS queries through the HTTPS protocol. Without proper authorization, it’s theoretically impossible to gain access to queries and responses. DNS encryption over TLS has been introduced to embed messages in secure channels. TLS handshake messages are exchanged between the client and the server before sending the encrypted DNS messages.
- (DNSSEC) uses digital signatures based on public keys to strengthen DNS. Instead of encrypting DNS queries and responses, it secures DNS data with public and private key pairs. The private key is used to sign DNS data in a specific zone and generate a digital signature. And the public key is published in the zone. Any resolver that looks up data in the zone can retrieve the public key to validate the authenticity of the DNS data before returning to the user. If the signature is incorrect or missing, the resolver will consider it as an attack and cancel the data transfer.
- In other words, DNSCrypt encrypts all DNS traffic. The cryptography involved is called elliptic-curve cryptography. It allows filtering the traffic that passes through UDP and TCP, for example, in the browser, which is an effective security measure in corporate networks. It can prevent DNS spoofing with authentication.
- firewall is a network security solution that prevents network users and systems from connecting to known malicious Internet locations. DNS Firewall works by employing DNS Response Policy Zones (RPZs) and actionable threat intelligence to prevent data exfiltration. DNS Firewalls can also provide insights on threats, helps isolate infected devices for remediation, and stays current with the evolving threat landscape through an automated threat intelligence feed.