Securing DNS

Why does DNS need additional layers of security??

By default, DNS queries and responses are sent in plaintext via UDP which means they can be read by networks, ISPs or anyone able to monitor transmissions. Even if a website uses HTTPS the DNS query required to navigate to that website is exposed.

DNS over TLS and DNS over HTTPS are two standards developed for encrypting plaintext DNS traffic in order to prevent malicious parties, advertisers and ISPs and other from being able to interpret the data.

DNS over TLS

Also called DoT is a standard for encrypting DNS queries to keep them secure and private. DoT uses the same security protocol, TLS that HTTPS websites uses to encrypt and authenticate communications. DoT adds TLS encryption on top of the UDP which is used for DNS queries.

DNS over HTTPS

DNS over HTTPS or DoH is an alternative to DoT. With DoH, DNS queries and responses are encrypted, but they are sent via HTTP or HTTP/2 protocol instead of directly over UDP. DoH traffic looks like other HTTPS traffic

Browsers also support DoH, although it is not turned on by default.

DoT uses port 853, while DoH uses port 443, which is the port that all other HTTPS traffic uses as well.

DNS was not designed with security in mind.

DNS Security

Common DNS attacks

DNS spoofing/Cache poisoning
1. This is an attack where forged DNS data is introduced into a DNS resolvers cache, resulting in the resolver returning an incorrect IP address for a domain.
DNS Tunneling
1. This attack uses other protocols to tunnel through DNS queries and responses. Attackers can use SSH, TCP, HTTP to pass malware or stolen information into DNS queries, undetected by most firewalls
DNS hijacking
1. the attacker redirects queries to a different domain name server. This can be done either with malware or with the unauthorized modification of a DNS server. Although the result is similar to that of DNS spoofing, this is a fundamentally different attack because it targets the DNS record of the website on the nameserver rather than a resolvers cache.
NXDOMAIN attack
1. Type of DNS flood attack where an attacker inundates a DNS server with requests asking for records that do not exists, in an attempt to cause a denial-of-service for legitimate traffic.
Phantom domain attack
1. has similar result to an NXDOMAIN attack on a DNS resolver. The attacker sets up a bunch of phantom domain servers that either respond to requests very slowly or not at all. The resolver is then hit with a flood requests to these domains and the resolver gets tied up waiting for responses leading to slow performance and denial-of-service
Random subdomain attack
1. the attacker sends DNS queries for several random, non-existent subdomains of one legitimate site. The goal is to create a denial-of-service for the domains authoritative nameserver, making it impossible to lookup the website from the nameserver. As a side effect the ISP serving the attacker may also be impacted, as their recursive resolvers cache will be loaded with bad requests.
Domain lock-up attack
1. attackers orchestrate this form of attack by setting up special domains and resolvers to create TCP connections with other legitimate resolvers. When the targeted resolvers send requests, these domains send back slow streams of random packets tying up the resolvers resources.
Botnet-based CPE attack
1. These attacks are carried out using CPE devices(Customer Premise Equipment, this is hardware given out by service providers for use by their customers such as modems, routers, etcc) The attackers compromise the CPEs and the devices become the part of botnet, used to perform random subdomain attacks against one site or domain.

DNSSEC. ?

DNS Security Extensions is a security protocol, protects against attacks by digitally signing data to help ensure its validity. In order to ensure a secure lookup, the signing must happen at every level in the DNS lookup process.

DNSSEC implements a hierarchical signing policy across all layers of DNS.

DNSSEC is designed to be backwards compatible to ensure that traditional DNS lookups still resolve correctly, albeit without the added security.

DNSSEC creates a parent-child train of trust that travels all the way up to the root zone. This chain of trust cannot be compromised at any layer of DNS, or else the request will become open to an on-path attack,

To close the chain of trust, the root zone itself needs to be validated, and this is actually done using human intervention. Interestingly, in what's called Root Zone Signing Ceremony, selected individuals from around the globe meet to sign the root DNSKEY RRset in a public and audited way.

DNS resolvers can also be configured to provide security solutions for their end users. Some DNS resolvers provide features such as content filtering, which can block sites known to distribute malware and spam, and botnet protection, which blocks communication with known botnets.

DNS Cache poisoning | DNS Spoofing

Attackers can poison a DNS cache by tricking DNS resolvers into caching false information, with the result that the resolver sends the wrong IP address to clients, and users attempting to navigate to a website will be directed to the wrong place.

It is the act of entering false information into a DNS cache, so that DNS queries return an incorrect response and users are directed to wrong websites.

Because there is typically no way for DNS resolvers to verify the data in their caches, incorrect DNS information remains in the cache until the TTL expires, or until it is removed manually.

How does DNS caching work?

DNS resolver will save response to IP address queries for a certain amount of time. In this way, the resolver can respond to future queries much more quickly, without needing to communicate with the many servers involved in the typical DNS resolution process.

Process of DNS Spoofing

Attackers can poison DNS caches by impersonating DNS nameservers, making a request to a DNS resolver and then forging the reply when the DNS resolver queries a nameserver.

This is possible because DNS servers use UDP instead of TCP and because currently there is no verification for DNS information.

DNS resolver does actually query the authoritative nameserver, attackers have only a few milliseconds to send the fake reply before the real reply from the authoritative nameserver arrives.

Attackers also have to either know or guess a number of factors to carry out DNS spoofing attacks

which DNS queries are not cached by the targeted DNS resolver
what port the DNS resolver using
the request ID number
which authoritative nameserver the query will go to.

DNS Fast Flux

Way of rapidly swapping out the IP addresses associated with a domain so that malicious domain used for phishing attacks and other criminal activity are harder to block

Is a technique that involves associating multiple IP addresses with a single domain name and changing out these IP addresses rapidly. Sometimes, hundreds or even thousands of IP addresses are used.

This technique is commonly used by botnets

With DNS fast flux, malicious domain have more uptime and are harder to block, enabling cyber criminals to carry out more attacks.

An IP address will be registered and then deregistered and replaced with a new IP address ever few minutes or seconds. Attackers are able to do this by exploiting a load balancing technique called round robin DNS and by setting a very short TTL for each IP address. Often some or all the IP addresses are used will be web hosts that the attackers have compromised. The machines at these IP addresses will act as proxies for the attackers origin server.

Round robin DNS is a way of associating multiple redundant web servers, each with their own IP address, with a domain. When the authoritative nameserver for that domain receives a query, it hands out a different IP address each time and as a result no one web server gets overwhelmed with traffic(theoretically). While load balancing is the legitimate, intended use of round robin DNS, attackers can use this feature to obfuscate their malicious activity.

The most effective way to stop DNS fast fluxing is to simple take down the domain name. Network administrators can also require users within their network to use DNS servers they control and to blackhole or discard, queries for malicious domains. This may malicious domains are not resolved and users are unable to access them. This is called DNS Filtering

PreviousDNS NextPentester Notes

Last updated 1 year ago

Securing DNS

Why does DNS need additional layers of security??

DNS over TLS

DNS over HTTPS

Browsers also support DoH, although it is not turned on by default.

DoT uses port 853, while DoH uses port 443, which is the port that all other HTTPS traffic uses as well.

DNS was not designed with security in mind.

DNS Security

Common DNS attacks

DNS spoofing/Cache poisoning
1. This is an attack where forged DNS data is introduced into a DNS resolvers cache, resulting in the resolver returning an incorrect IP address for a domain.
DNS Tunneling
1. This attack uses other protocols to tunnel through DNS queries and responses. Attackers can use SSH, TCP, HTTP to pass malware or stolen information into DNS queries, undetected by most firewalls
DNS hijacking
1. the attacker redirects queries to a different domain name server. This can be done either with malware or with the unauthorized modification of a DNS server. Although the result is similar to that of DNS spoofing, this is a fundamentally different attack because it targets the DNS record of the website on the nameserver rather than a resolvers cache.
NXDOMAIN attack
1. Type of DNS flood attack where an attacker inundates a DNS server with requests asking for records that do not exists, in an attempt to cause a denial-of-service for legitimate traffic.
Phantom domain attack
1. has similar result to an NXDOMAIN attack on a DNS resolver. The attacker sets up a bunch of phantom domain servers that either respond to requests very slowly or not at all. The resolver is then hit with a flood requests to these domains and the resolver gets tied up waiting for responses leading to slow performance and denial-of-service
Random subdomain attack
1. the attacker sends DNS queries for several random, non-existent subdomains of one legitimate site. The goal is to create a denial-of-service for the domains authoritative nameserver, making it impossible to lookup the website from the nameserver. As a side effect the ISP serving the attacker may also be impacted, as their recursive resolvers cache will be loaded with bad requests.
Domain lock-up attack
1. attackers orchestrate this form of attack by setting up special domains and resolvers to create TCP connections with other legitimate resolvers. When the targeted resolvers send requests, these domains send back slow streams of random packets tying up the resolvers resources.
Botnet-based CPE attack
1. These attacks are carried out using CPE devices(Customer Premise Equipment, this is hardware given out by service providers for use by their customers such as modems, routers, etcc) The attackers compromise the CPEs and the devices become the part of botnet, used to perform random subdomain attacks against one site or domain.

DNSSEC. ?

DNSSEC implements a hierarchical signing policy across all layers of DNS.

DNSSEC is designed to be backwards compatible to ensure that traditional DNS lookups still resolve correctly, albeit without the added security.

DNS Cache poisoning | DNS Spoofing

Attackers can poison a DNS cache by tricking DNS resolvers into caching false information, with the result that the resolver sends the wrong IP address to clients, and users attempting to navigate to a website will be directed to the wrong place.

It is the act of entering false information into a DNS cache, so that DNS queries return an incorrect response and users are directed to wrong websites.

Because there is typically no way for DNS resolvers to verify the data in their caches, incorrect DNS information remains in the cache until the TTL expires, or until it is removed manually.

How does DNS caching work?

Process of DNS Spoofing

Attackers can poison DNS caches by impersonating DNS nameservers, making a request to a DNS resolver and then forging the reply when the DNS resolver queries a nameserver.

This is possible because DNS servers use UDP instead of TCP and because currently there is no verification for DNS information.

DNS resolver does actually query the authoritative nameserver, attackers have only a few milliseconds to send the fake reply before the real reply from the authoritative nameserver arrives.

Attackers also have to either know or guess a number of factors to carry out DNS spoofing attacks

which DNS queries are not cached by the targeted DNS resolver
what port the DNS resolver using
the request ID number
which authoritative nameserver the query will go to.

DNS Fast Flux

Way of rapidly swapping out the IP addresses associated with a domain so that malicious domain used for phishing attacks and other criminal activity are harder to block

Is a technique that involves associating multiple IP addresses with a single domain name and changing out these IP addresses rapidly. Sometimes, hundreds or even thousands of IP addresses are used.

This technique is commonly used by botnets

With DNS fast flux, malicious domain have more uptime and are harder to block, enabling cyber criminals to carry out more attacks.

The most effective way to stop DNS fast fluxing is to simple take down the domain name. Network administrators can also require users within their network to use DNS servers they control and to blackhole or discard, queries for malicious domains. This may malicious domains are not resolved and users are unable to access them. This is called DNS Filtering

PreviousDNS NextPentester Notes

Last updated 1 year ago