DNS security should be considered an essential part of any business’s security plan. Name resolution services (translating hostnames into IP addresses) are used by nearly all applications and services on a network.
If an attacker could gain control of an organization’s DNS they could easily:
Get the Free Pen Testing Active Directory Environments EBook
- Permanently transfer control of the public domain to themselves
- Reroute inbound email, web requests, and authentication attempts
- Generate and approve SSL/TLS certificates outside the organization’s control
This guide approaches DNS security from two perspectives:
- Maintaining overall DNS Ownership and Control
- How new DNS protocols like DNSSEC, DOH, and DoT can help protect the integrity and privacy of DNS requests in transit.
What is DNS Security?
DNS security is comprised of two halves:
- Maintaining the overall integrity and availability of your DNS services (translating hostnames into IP addresses)
- Monitoring of DNS activity to indicate that a security issue may be occurring elsewhere in your network.
Why is DNS Vulnerable to Attack
DNS was created in the early years of the internet, far before anyone ever thought of incorporating security best practices. DNS operates without authentication or encryption blindly resolving queries for any client that asks.
Given that starting point, there are numerous ways to spoof, falsify or mislead clients about where name resolution is actually happening.
DNS Security Considerations + Components
DNS Security is made up of several overarching components that need to be addressed to properly secure DNS as a whole.
- System and Control Security: Harden servers and create default commissioning template
- Protocol Enhancement: Deploy DNSSEC, DoT or DoH
- Analytics and Reporting: Ingest DNS event logging into SIEM solution to provide context to security investigations
- Security and Threat Intelligence: Subscribe to an active threat intelligence feed that provides actionable metrics
- Automation: script out as much as possible to take advantage of time allotted towards security.
The above high-level components are just the tip of the iceberg as it pertains to DNS security. In the following section, we will deep dive into more specific use cases and best practices that you need to be aware of.
- DNS Spoofing/Cache Poisoning: Exploiting a system vulnerability, to control a DNS cache to redirect users to a different destination.
- DNS Tunnelling: Mostly used to bypass network security controls for remote connections.
- DNS Hijacking: The act of redirecting your regular DNS traffic by changing your domain registrar to redirect to a different destination DNS server.
- NXDOMAIN Attack: The process of DDoSing a DNS authoritative server with non-legitimate domain requests to force a response.
- Phantom Domain Attack: Forcing the DNS resolver to wait for a response from non-existent domains, which in turn leads to poor performance.
- Random Subdomain Attack: Compromised hosts and botnets that essentially are DOSing a legit domain, but focusing its fire on false subdomains to force the DNS record lookups and override the service.
- Domain Lock-Up Attack: Is the act of sending numerous junk responses to keep the resolvers engaged and locked-up resource-wise.
- Botnet-Based CPE Attack: This is a collection of computers, modems, routers, etc. that are used to focus computing power on one specific website or resource to overwhelm it with traffic requests.
Attacks Leveraging DNS
These are attacks that use DNS in some way to attack other systems (aka changing DNS entries is not the target).
- Single Flux
- Double Flux
- DNS Tunneling
Attacks on DNS
Attacks resulting in the IP address returned from a DNS server is what an attacker wants and not the legitimate admins of the DNS server.
- DNS Spoofing/Cache poisoning
- DNS Hijacking
What is DNSSEC?
DNSSEC stands for Domain Name System Security Extensions and is used to validate DNS records without needing to know the outlining information around each specific DNS query.
DNSSEC uses digital signature key pairs (PKI) to validate whether the answer to a DNS query is coming from the proper source.
Implementing DNSSEC is not only an industry best practice required by NIST but also is an effective way to combat the simpleness of how DNS operates and avoid most DNS attacks.
How DNSSEC Works
DNSSEC operates similarly to TLS/HTTPS using public/private key pairs to digitally sign DNS records. An extremely high-level overview of this process:
- DNS records are signed with the public/private key pair.
- DNSSEC query responses contain both the record that was requested as well as the signature and the public key.
- The public key is then used to compare the record and the signature for authenticity.
DNS Security v. DNSSEC
DNSSEC is a security control to validate the integrity of DNS queries but does not impact DNS privacy. Put another way: DNSSEC may let you feel confident that the answer to your DNS query is what was intended, but any attacker or snoop could see those results as they were transmitted to you.
DNS Over TLS
Transport Layer Security – is a cryptographic protocol to secure transmitted information over a network connection. Once a secure TLS connection is established between a client and a server, no intermediaries can “see” the data being transmitted as it is encrypted.
TLS is most commonly used as part of HTTPS (“SSL”) in your web browser as requests are made to secure HTTP servers.
DNS Over TLS (DoT) uses TLS to encrypt the UDP traffic of normal DNS queries.
Encrypting these otherwise plain text queries helps protect the users or applications making the requests from several different attacks.
- Man-In-The-Middle: without encryption, an intermediary system sitting between the client and the authoritative DNS server could potentially reply to the client with false or damaging information.
- Spying and Tracking: with no encryption on queries, it is trivial for intermediary systems to view what sites a particular user or application accesses. While the specific page within a site will not be evident solely from DNS, just knowing what domains are being requested is enough to form a profile of the system or individual.
DNS Over HTTPS
DNS over HTTPS (or DoH) is an experimental protocol being led by Mozilla and Google that has very similar goals to DoT: improving the privacy of people browsing the internet by encrypting DNS queries and responses.
Standard DNS queries are transmitted via UDP and the requests and responses can be watched with tools like Wireshark. DoT encrypts these queries but they are still identifiable as fairly distinct UDP traffic on the network.
DoH takes a different approach and transmits encrypted DNS resolution requests over HTTPS connections which over the wire look like any other web request.
This difference has some significant ramifications for both sysadmins and the future of name resolution.
- DNS filtering is a common way of filtering web traffic to protect users from phishing attacks, malware distribution sites, or other potentially damaging internet activity on a corporate network. DoH bypasses these filters, potentially exposing users and networks to a higher degree of risk.
- In the current model of name resolution, every device on a network more or less receives DNS queries from the same location (a specified DNS server). DoH and specifically, Firefox’s implementation show how that may not be the case in the future. Each application on a computer may be pulling from a different DNS source, making it much more challenging to troubleshoot, to secure, and to model risk.
What is the difference between DNS over TLS & DNS over HTTPS?
Let’s start with DNS over TLS (DoT). The main focus here is that the original DNS protocol does not change; it is just transmitted securely over a secure channel. DoH encapsulates DNS in HTTP format before requests are made.
DNS Monitoring Alerts
Being able to monitor your perimeter DNS traffic for suspicious anomalies effectively is critical to the early detection of compromise. Using a tool like Varonis Edge will give you the ability to alert on intelligent metrics and build profiles for each account on your network. Alerts can be generated by a combination of actions within a specific time. These periods have been established by analyzing the results of breaches around the world in each industry.
Monitoring for differences in DNS changes, account location, first-time use, accessing sensitive data, and activity outside of working hours are only a few metrics that can be correlated to painting a broader picture of detection.