Is your DNS secure ?
Over the past decades, the Domain Name System has been involved in all kinds of attacks ranging from simple advertising scams to more destructive techniques by large threat groups. But in its essence, DNS has a straightforward purpose; that is to translate human readable domain names into machine readable IP addresses. So, why is it so prone to attacks??
Cache poisoning, spoofing, DDoS, and exfiltration channel ... DNS is subject to a wide variety of attacks. It is also used as a tool to carry out other types of attacks. For example, many organizations have strict controls over C&C communications and are most likely closely monitoring and blocking these channels. However, since DNS traffic is legitimate and is often allowed through the firewall, it can be used to deliver payloads or exfiltrate data. TXT records have been widely used in this regard, thanks to the ability to add free texts in these records.??
Let's take a look at the most common DNS security exploits.??
Top DNS security exploits
DNS spoofing?
DNS spoofing is a set of techniques that are used to redirect users to a different destination than what they intended. An adversary can, for example, modify the hosts file of a user's machine to resolve acme.org to a different IP address in an attempt to lure them into a fake website and compromise their credentials. Other ways to do this besides changing the host file is to access the network, listen for DNS requests, and respond to them with forged IPs.?dnsspoof?command line utility can be used to carry out similar attacks.??
Cache poisoning?
Probably the most known attack targeting DNS, Cache poisoning has the same goal as DNS spoofing, that is, misdirect users to fake destinations, but using techniques that modify the cache of the DNS server or the local cache. For instance, a malicious payload can be sent via emails to victims that, once executed, will insert forged resolutions in to the local cache of the system. Thereby, directing the victims to mirrored websites.??
DDoS?
The principle that are in play for a DDoS are the same for the DNS-based DDoS. Typically, DDoS involves the use of thousands of hosts for sending requests to a target system, causing it to fail. However, this is not the most used technique. Another technique consists of sending special requests that generate bigger responses destined to a target. This is called DNS amplification attack. Using the dig command for instance, the argument ANY can be supplemented to generate a large response, because it asks for all the records in a zone. Consider the following command that generates a response 100 times bigger than the request:?
$ dig google.com ANY??
And you can add other arguments to make it more bigger. You can then find a few open recursive DNS servers and use them to reflect this response to a target system.?hping?is a command utility that can do such a thing.?
DNS-based Command & Control?
Think of this attack as using a tunnel. Because DNS is common in most environments, it doesn't raise alerts in the Security Operations Center when it is used, contrary to IRC for example. Therefore, there are few instances where it was used to deliver C&C payloads.??
Now that we have seen the top DNS security exploits, next is my DNS Security Checklist that will help you correct security misconfigurations in your DNS and keep you aligned with industry's best practices.??
领英推荐
The DNS Security Checklist?
To answer the question you are here for "Is my DNS secure?", I have compiled a list of items that you can review to ensure that your DNS is indeed secure.?
This DNS security checklist is intended to give you a quick reference of the important points that need to be considered when designing and/or reviewing the security controls in a domain name system. Here are a few of the most important points:?
DNSSEC?
You have probably heard of this, but why should you think about implementing DNSSEC ???
DNSSEC is a set of DNS Security Extensions that aims to increase the integrity of the DNS data that is exchanged. It provides encryption, signing, and a root of trust similar to TLS. To do this, DNSSEC employs asymmetric cryptography using public and private keys. The response from the authoritative name server is encrypted with its private key; and therefore, can then be verified by decrypting it using its public key.??
A word about?DNS-over-HTTPS?
Created in 2018, this protocol helps protect DNS communications by carrying it inside HTTPS. Mozilla has been heavily pushing for this and is now activating it by default in certain countries.?
The rationale behind this is that even though HTTPS is secure and has been used to protect the privacy of users, we still use DNS in its plaintext form. So, a new protocol or extension is needed to protect users' data such as their historical domain queries.???
DNS Security Course?
For more information about DNS security and to explore the topics mentioned above in depth, enroll in my course on Udemy titled "Comprehensive DNS Security and DNSSEC".??
Conclusion?
Between human errors, server misconfigurations, and inherent protocol vulnerabilities, DNS still has many improvements to undergo. That being said, your part is to try to align your setting with industry best practices until more robust implementations are proposed.?So don't forget to contact your registrar, check your server's configuration and implement change control to start with, to make sure DNS is handled correctly.?
Check out more information security articles at: https://tznibae.com