Attacks on DNS hit us where it hurts

The Domain Name System (DNS) is a part of the Internet that the typical business or individual computer user rarely thinks about. Many whose everyday work depends on it don’t even know it exists, and even some IT pros don’t really understand how it works. But without it, we would all have to memorize a myriad of numerical IP addresses in order to visit a web site, send email, or access resources on another computer.

Importance of DNS

DNS translates IP addresses that computers understand into user-friendly names that human being understand. Sounds simple enough, but behind the scenes it’s a bit more complex, involving different types of name servers  – recursive DNS servers, root name-servers, top level domain servers, and authoritative name-servers, along with the client computer and the application (such as a web browser) running on it. Resolving a name to an IP address is a multi-step process that we won’t go into here.

Suffice it to say DNS is a mission-critical service if your organization uses the Internet. When attackers target DNS, they can create a denial of service that can bring business and personal Internet communications to a standstill. Unfortunately, DNS is vulnerable to a myriad of different types of attack.

Like other Internet protocols that were developed in the early days of the Internet, before security became a priority, DNS wasn’t originally designed with protection against attackers in mind. It was created with a much smaller Internet in mind. Like a small town where everyone knows and trusts each other, this works – until the city grows huge and the criminal element moves in and takes advantage of that established trust.

At the beginning of this year, The National Cybersecurity and Communications Integration Center (NCCIC) warned that DNS attack incidence was up due to a global DNS infrastructure hijacking campaign.

DNS was designed to use UDP (the User Datagram Protocol), which is faster than TCP (the Transmission Control Protocol). UDP is faster because it doesn’t use the handshake verification or have the error checking functionality of TCP.

Today, cybercriminals know they can wreak havoc by bringing down the name system. With more and more businesses using cloud resources, DNS is more important than ever. A DNS outage can result in workers not being able to do their jobs, customers not being able to make purchases or contact support personnel, and a real and negative impact on a company’s bottom line and reputation.

NOTE: In the early days of the Internet, all of the computer systems on the global network and their IP addresses could be listed in a single text file, called the hosts file, that was stored on each server or personal computer. The world was much simpler back then. Today, there are well over a billion web sites and forecasts say by 2022, there will be 28.5 billion devices connected to the Internet and 4.8 billion users. New domain names are added every minute. The venerable hosts file never had a chance of keeping up.

Types of DNS attacks

There are a number of different ways that an attacker can use DNS as the attack vector. Knowing about each of them and how they work can help you to protect against them.

DNS DDoS attack

One of the easiest and most common ways to disrupt the operations of a network is to flood it and/or its systems with an overload of traffic that’s too much for the hardware and software to handle. Distributed denial of service attacks on DNS are often referred to as DNS floods. The proliferation of Internet of Things (IoT) devices has made it easy for attackers to use the high bandwidth connections of such devices as IP-based surveillance cameras to send a high volume of DNS requests that overwhelm the DNS servers and effectively make them inaccessible to normal users.

A similar but different type of DDoS attack is a DNS amplification attack, which uses a botnet to send numerous small DNS queries with spoofed IP addresses that result in large volume responses so that the amplified traffic overwhelms the target. In this case, it’s not the DNS servers themselves that are targeted, but the victim whose IP address was spoofed. However, if the responses are large enough, the DNS service can be overwhelmed.

Amazon Web Services came under a DNS DDoS attack in October 2019, when it was flooded with fake DNS queries that disrupted legitimate traffic to sites and services that use AWS.

DNS cache poisoning

Another type of IP address spoofing associated with DNS is done to redirect visitors from a legitimate web site to their own phishing sites, designed to look like the real thing, where they can collect user names and passwords and personal information. This is called cache poisoning and it is accomplished by entering inaccurate information in the DNS cache.

ISPs and company networks run their own DNS servers that cache information from the higher level DNS servers. If the DNS information in a server becomes poisoned, this bad information can then be cached on other servers.

We mentioned earlier that DNS uses UDP for faster responses. That means no verification that the senders are who they say they are. Attackers can forge the data headers and the DNS resolver will accept and cache the data. The good news is that DNS cache poisoning requires that the attack send the forged response quickly, before the authoritative nameserver sends the real reply, and the attacker needs to know which port the DNS resolver uses, which queries aren’t cached, which authoritative nameserver the query will go to, and other information in order to successfully carry out a cache poisoning.

DNS hijacking

DNS hijacking is another way attackers undermine the function of DNS name resolution. Malware can be used to change a computer’s configuration so that it points to a rogue DNS server operated by the attacker instead of a legitimate DNS server. As with cache poisoning, the result is that users are redirected to spoofed web sites with the objective of phishing or for other nefarious purposes.

In addition to distributing malware to make TCP/IP settings changes on client computers, attackers can exploit vulnerabilities in routers to change the DNS settings, which will then impact all the computers that connect to the router.

Finally, the attacker can intercept the communications between users and DNS servers and alter the destination IP address to redirect the user to a malicious web site. This is a form of man-in-the-middle attack.

How to protect against and mitigate DNS attacks

Protecting against DNS DDoS attacks involves restricting unsolicited DNS responses, disallowing the same query from the same client that has already received a response, requiring DNS clients to prove their credentials are not spoofed, block queries from geographic locations where you don’t do business, and more. Many security vendors provide products that are aimed at preventing DDoS attacks, including DNS-based attacks.

The lack of verification in the DNS system can be addressed by using Domain Name System Security Extensions (DNSSEC), which provides a way to authenticate DNS data. DNSSEC was designed to prevent applications (and the caching resolvers that serve the applications) from using forged or manipulated DNS information by using digital signatures. DNSSEC has been around since the late 1990s but deployment has been slow and frequently done incorrectly. It is finally becoming an operational standard for many domain registrars and ISPs, however. In January 2019, ICANN urged all domain registries and registrars to fully deploy DNSSEC and further urged domain name owners to migrate to those registrars that offer DNSSEC.

If your organization runs its own DNS servers, there are a number of steps you can take.

• Access to DNS servers should be restricted and secured via multi-factor authentication, strong physical security, and standard network security to prevent remote access.
• Keeping DNS servers updated and timely application of security patches to DNS clients, as well as antimalware protection to prevent changes to DNS settings are other ways to protect against DNS attacks.
• Shut down any unnecessary DNS resolvers on your network and put needed resolvers behind a firewall.
• Restrict zone transfers.
• Disable DNS recursion.
• Monitor your name servers for suspicious activity.

Summary

The Domain Name System is critical to the operation of the Internet, and an attack on DNS can have far-reaching consequences. It’s important to be aware of the threat, take steps to prevent such attacks, and know how to mitigate the damage if an attacker targets your organization.