DNS Security

This post provides resources to security aspects of domain network system (DNS).

This post assumes that you already know how a DNS works. You can read an introduction to DNS on this post.

Security Controls for DNS

Security controls specific for DNS:

  • DNSSEC
  • DoH
  • Split-DNS
  • DNS sinkhole

DNSSEC

Domain Network System Security Extensions (DNSSEC) is a security improvement or feature of the Domain Name System (DNS) that authenticates responses to domain name lookups.

It provides mutual certificate authentication and encrypted sessions between devices during operations.

It provides origin authority and data integrity guarantees when queries are answered, as well as authenticated denial of existence when domain names do not exist.

DNSSEC reduces server-focused DNS abuses, such as zone file poisoning and DNS cache poisoning.

DNSSEC is a security control that applies to the DNS server, not to non-DNS servers like the DNS clients.

Each zone in DNSSEC has a zone-signing key pair (ZSK): the private portion of the key digitally signs each RRset in the zone, while the public portion verifies the signature. To enable DNSSEC, a zone operator creates digital signatures for each RRset using the private ZSK and stores them in their name server as RRSIG records. This is like saying, “These are my DNS records, they come from my server, and they should look like this.”

DNSSEC official website

DNS over HTTPS (DoH)

DNS over HTTPS (DoH) creates and encrypted session with a DNS server of TLS-protected HTTP and then sues that session as a form of VPN to protect the DNS query and response.

DoH should be used by non-DNS servers (such as client devices) especially when using the internet.

Oblivious DoH (ODoH) is a 2020 enhancement that adds a DNS proxy between the client an the DNS resolver so that the identity of the requesting client is isolated from the DNS resolver.

Thus, ODoH provides anonymity and privacy to DNS queries.

Split-DNS

A split-DNS, split-horizon DNS or split-view DNS

DNS Sinkhole

A false telemetry system, sinkhole server, internet sinkhole or blackhole system is a defense mechanism.

A DNS sinkhole or black-hole DNS is an instance of false telemetry system applied to DNS.

It attempts to provide false responses to DNS queries from malware, such as bots, to prevent access to command and control (C2) systems. It can also be used to protect users from visiting known malicious or phishing sites.

DNS sinkhole can be used both for defensive and offensive purposes.

DNS Hardening

DNS hardening advice:

  • Limit zone transfers from internal DNS servers to external DNS servers. To achieve this, block inbound TCP port 53 (zone transfer requests) and inbound UDP port 53 (queries).
  • Restricting zone transfers to authorized secondary servers.
  • Require internal clients to resolve all domain names through the internal DNS. To achieve this, lock outbound UDP port 53 (queries).
  • Limit the external DNS servers from which internal DNS servers pull zone transfers.
  • Deploy a NIDS to watch for abnormal DNS traffic
  • Deploy HIDS
  • Properly harden all DNS server and client systems in your private network.
  • Use DNSSEC to secure your DNS infrastructure
  • Use DoH and ODoH when supported
  • Implement a split-DNS
  • Implement a DNS sinkhole
  • Using transaction signatures (TSIG) to authenticate zone transfer requests adds an extra layer of security, ensuring that transfers are performed only between trusted servers.
  • Perform regular monitoring

DNS monitoring:

  • Check NIDS and HIDS alerts
  • Review logs of DNS and DHCP systems
  • Review logs of local client system
  • Review logs of firewall, switch and router logs

DNS Attacks

  • DNS poisoning
    • DNS server poisoning
    • DNS cache poisoning
    • Hosts file poisoning
  • DNS Spoofing
    • Rogue DNS Servers
    • DNS query spoofing
  • DNS pharming
  • Domain Hijacking
  • Typosquatting
  • Homograph attack
  • URL hijacking
  • Clickjacking
  • Proxy falsification
  • DNS rebinding
  • Domain generation attack

DNS Poisoning

DNS poisoning can be done at different levels:

  • DNS server poisoning
  • DNS cache poisoning
  • Hosts file poisoning

DNS Server Poisoning

In a DNS server poisoning attack, an attacker access the primary authoritative DNS server for a domain and modify its zone file with a malicious IP.

An attack on authoritative DNS server is noticed very quickly, so DNS cache poisoning is more common.

DNS Cache Poisoning

In a DNS cache poisoning attack, an attacker access a DNS cache server and modify its zone file to include a malicious IP.

DNS cache servers is usually just watched by local operators, and not the worldwide security community, so changes on them may get noticed later. Because of this, DNS cache poisoning is more common than DNS server poisoning.

Hosts File Poisoning

In a hosts file poisoning attack, an attacker access a DNS client and modify its hosts file to include a malicious IP.

This attack only affects an individual system, so its impact is limited and it is mostly used for targeted attacks.

DNS Spoofing

Rogue DNS Server

A DNS client performs DNS queries with a QID. A rogue DNS server can reply using the same QID an IP address for a malicious server. When the reply is received, the client closes the DNS query session, which causes the response from the real DNS server to be dropped and ignored as an out-of-session packet.

DNS Query Spoofing

A DNS query spoofing attack involves that a client performs a query, an attacker eavesdrops it and sends back a reply including the correct QID with false information.

DNS Pharming

DNS pharming is the malicious redirection of a valid website’s URL or IP addresses to a fake website.

Pharming typically occurs either by modifying the local hosts file on a system or by poisoning or spoofing DNS resolution.

Domain Hijacking

Domain hijacking or domain theft involves changing the registration of a domain name without the authorization of the valid owner.

The best defense against domain hijacking is using MFA.

Typosquatting

Typosquatting takes advantage of user mistyping domain names or IP address of a resource, and takes mistaken users to a malicious websites.

Homograph Attack

An homograph attack takes advantages of letters from different scripts that look very similar but correspond to different domain names. When these letters are used in URL, it may trick users.

An example of letter commonly used in homograph attacks is English/Latin alphabet “a” for the Cyrillic alphabet “ɑ”.

You can read more about it on this external link.

URL hijacking

URL hijacking implies displaying a link that looks like a well-known service, but when clicked redirects the user to an alternate website.

An example of a (harmless) URL hijacking is the rickroll meme, where a user provides a written URL that supposedly takes to a useful information and it takes you to the music video for the Rick Astley’s song “Never gonna give you up”.

Clickjacking

Clickjacking implies inadvertently including content of a website inside a website in a different website.

Proxy Falsification

Proxy falsification involves that a client is attacked to use a rogue proxy and then it sends traffic packets to reroute requests.

DNS Rebinding

DNS rebinding is an attack to manipulate resolution of domain names. In this attack, a malicious web page causes visitors to run a client-side script that attacks machines elsewhere on the network.

Domain Generation Attack

Domain Generation Attack (DGA) generates new domain names and IP addresses for malware’s command.

DNS Interrogation Tools

You can find a list of DNS interrogation tools on this post.

DNS Servers for Security Testing

PolarDNS is a specialized authoritative DNS server that allows the operator to produce custom DNS responses suitable for DNS protocol testing purposes.

You might also be interested in…

External References

Leave a Reply

Your email address will not be published. Required fields are marked *