Cyber Threats on DNS Servers
Overview of DNS
The Domain Name System (DNS) is a foundation protocol of hierarchical and decentralised naming system commonly used on the Internet to resolve human-readable domain names into numeric Internet Protocol (IP) addresses. The original designed DNS protocol (RFC 882 and RFC 883) was published by Internet Engineering Task Force (IETF) in 1983. DNS includes a data repository to store domain names and their associated IP addresses, and acts like a directory or phone book of the Internet. The function of mapping domain names to IP addresses is called “Name Resolution”. The protocol that DNS uses to perform the name resolution is called the DNS protocol. However, the DNS specification does not have any mechanism to secure the authenticity and privacy of DNS transactions, that may cause DNS data interception and modification during the transmission process.
Workflow of DNS Resolving
The process which DNS utilises to turn Uniform Resource Locators (URLs) into routable IP addresses encompasses six main steps. “https://www.example.com/index.html” will be used as an example to explore the process in the following diagram:
1.
The Request
a.
When a user wants to browse “https://www.example.com/index.html” and inputs the URLin the address bar of the web browser, the web browser transposes the URL into the Fully Qualified Domain Name (FQDN), i.e. www.example.com.
b.
The web browser sends a DNS query to the DNS resolver server for resolving the IP address of the FQDN host name, e.g. “1.2.3.4”.
c.
Instead of sending direct DNS queries to a DNS resolver, a DNS proxy server in between can add visibility and preventive controls into the name resolution process. Potential malicious sites can be intercepted before the threat ever appears.
2.
Root Name Server Query
The DNS resolver forwards the DNS query to a root name server that returns an IP address of the corresponding top-level domain (TLD) name server, i.e. “.com” name server.
The DNS resolver forwards the DNS query to a root name server that returns an IP address of the corresponding top-level domain (TLD) name server, i.e. “.com” name server.
3.
TLD Name Server Query
The DNS resolver directs the DNS query to the appropriate TLD name server that returns an IP address of the corresponding Enterprise-Level name server, i.e. “example.com” name server.
The DNS resolver directs the DNS query to the appropriate TLD name server that returns an IP address of the corresponding Enterprise-Level name server, i.e. “example.com” name server.
4.
Enterprise-Level Domain Name System Query
The DNS resolver forwards the DNS query to the Enterprise-Level name server that returns an IP address of the corresponding web server, i.e. “www.example.com”.
The DNS resolver forwards the DNS query to the Enterprise-Level name server that returns an IP address of the corresponding web server, i.e. “www.example.com”.
5.
The Response
The DNS resolver returns the web server IP address to the web browser, and adds that response to its cache. Next time when that address needs to be resolved, the result is taken from the cache instead of making another DNS request.
The DNS resolver returns the web server IP address to the web browser, and adds that response to its cache. Next time when that address needs to be resolved, the result is taken from the cache instead of making another DNS request.
6.
Connect to the Web Server and Download the Web Content
The web browser connects to the web server and displays its webpage to the user, i.e. “https://www.example.com/index.html”.
The web browser connects to the web server and displays its webpage to the user, i.e. “https://www.example.com/index.html”.
Risks of DNS-based Attacks
According to a number of cyber security threat reports, DNS-based attacks are becoming highly sophisticated and volumetric. Attackers are increasingly adopting multifaceted techniques to exploit different DNS components such as recursive resolvers and authoritative DNS servers. Besides, data exfiltration via DNS-based covert channels often goes undetected over legitimate DNS traffic. The increasing difficulties to detect and mitigate the attacks make securing DNS infrastructure even more crucial to keep DNS secure and resilient. The impact caused by DNS-based attacks is profound due to its mission-critical role. The consequences of not securing DNS may result in a higher risk of data breach, service downtime, compliance failure and compromised reputation of an organisation.
Typical Attacks on DNS
1.
DNS Hijacking
DNS hijacking (also called “DNS Redirection”) is a type of DNS attack in which DNS queries are manipulated to redirect users to malicious sites. DNS hijacking can be used for pharming or phishing by taking over users’ DNS requests. There are five common types of hijacking attacks:
DNS hijacking (also called “DNS Redirection”) is a type of DNS attack in which DNS queries are manipulated to redirect users to malicious sites. DNS hijacking can be used for pharming or phishing by taking over users’ DNS requests. There are five common types of hijacking attacks:
1.1.
Local DNS hijacking — change the local DNS settings to redirect the user to malicious sites by malware installed on the local system without the knowledge and permission of the user.
1.2.
Router DNS hijacking — take over a router and overwrite its DNS settings to redirect all connected users to malicious sites by exploiting router vulnerabilities.
1.3.
Rogue DNS hijacking — hack into a DNS name server and change its DNS records to redirect DNS requests to malicious sites.
1.4.
Man-In-The-Middle DNS hijacking — intercept network communication between a user and a DNS name server, and replace with fraudulent IP addresses pointing to malicious sites.
1.5.
Domain name account hijacking — change the registration of a domain name without the permission of the domain name holder, such as the use of stolen domain name account login information.
2.
DNS Cache Poisoning
Also known as DNS spoofing, DNS cache poisoning is a DNS cache attack that attackers insert fraudulent data into the cache of a DNS resolver. The DNS resolver makes use of the cache for storing processing results of DNS queries to enhance performance when receiving the same query. The fraudulent data will redirect users to malicious sites.
Also known as DNS spoofing, DNS cache poisoning is a DNS cache attack that attackers insert fraudulent data into the cache of a DNS resolver. The DNS resolver makes use of the cache for storing processing results of DNS queries to enhance performance when receiving the same query. The fraudulent data will redirect users to malicious sites.
3.
Distributed Denial of Service (DDoS) Attacks on DNS Servers
A Distributed Denial of Service (DDoS) attack is a malicious attempt to disrupt the normal DNS traffic of a targeted DNS server with a flood of Internet traffic. Successful launching of a DDoS attack on DNS will hamper the resolution of domain into IP addresses of the zone and its sub-zones, rendering other services inaccessible and causing even more catastrophic results. Two main attack techniques exist for DDoS attacks – amplification and reflection. They are often used together to maximise the impact on the target.
The record for the largest DDoS attack ever recorded was of 2.3 Tbps, mitigated by Amazon Web Services (AWS) Shield service in February 2020. The attack was carried out using hijacked Connection-less Lightweight Directory Access Protocol (CLDAP) web servers to reach massive DDoS bandwidths. In 2016, a series of DDoS attacks on a DNS service provider, Dyn, was launched, which caused major Internet platforms and services unavailable to many users in Europe and North America.
A Distributed Denial of Service (DDoS) attack is a malicious attempt to disrupt the normal DNS traffic of a targeted DNS server with a flood of Internet traffic. Successful launching of a DDoS attack on DNS will hamper the resolution of domain into IP addresses of the zone and its sub-zones, rendering other services inaccessible and causing even more catastrophic results. Two main attack techniques exist for DDoS attacks – amplification and reflection. They are often used together to maximise the impact on the target.
The record for the largest DDoS attack ever recorded was of 2.3 Tbps, mitigated by Amazon Web Services (AWS) Shield service in February 2020. The attack was carried out using hijacked Connection-less Lightweight Directory Access Protocol (CLDAP) web servers to reach massive DDoS bandwidths. In 2016, a series of DDoS attacks on a DNS service provider, Dyn, was launched, which caused major Internet platforms and services unavailable to many users in Europe and North America.
3.1.
DNS Flood Attack
Attackers flood DNS queries to DNS servers in an attempt to exhaust DNS infrastructure and server resources of a particular domain name space. By disrupting the DNS name resolution capability, the flood attack will compromise websites’ or online business applications’ ability to respond to legitimate transaction traffic. DNS flood attacks can be difficult to distinguish from normal heavy traffic because the large volume of traffic often comes from a multitude of unique locations, querying for real records on the domain, mimicking legitimate traffic.
Attackers flood DNS queries to DNS servers in an attempt to exhaust DNS infrastructure and server resources of a particular domain name space. By disrupting the DNS name resolution capability, the flood attack will compromise websites’ or online business applications’ ability to respond to legitimate transaction traffic. DNS flood attacks can be difficult to distinguish from normal heavy traffic because the large volume of traffic often comes from a multitude of unique locations, querying for real records on the domain, mimicking legitimate traffic.
3.2.
Pseudo-Random Subdomain (PRSD) Attack
PRSD attack (also called “Water Torture Attack”, or NXDOMAIN Flood Attack) is another type of DDoS attack that attackers send a large number of queries for random, non-existent subdomains of legitimate domains. The attack intends to exhaust server resources and take down the authoritative name servers for targeted legitimate domains.
PRSD attack (also called “Water Torture Attack”, or NXDOMAIN Flood Attack) is another type of DDoS attack that attackers send a large number of queries for random, non-existent subdomains of legitimate domains. The attack intends to exhaust server resources and take down the authoritative name servers for targeted legitimate domains.
4.
DNS Tunneling Attack (Data Exfiltration)
DNS tunneling refers to the control of the domain name and DNS server to encode data inside DNS queries and responses to communicate with the controlled/compromised DNS server and user computer. DNS tunneling attack leverages normal outbound DNS requests to the attacker’s server, providing attackers a covert command and control channel, and a data exfiltration path by Command and Control (C&C) method. Compromised data is encoded into several DNS host queries over time, allowing for the gradual exfiltration of sensitive data.
DNS tunneling refers to the control of the domain name and DNS server to encode data inside DNS queries and responses to communicate with the controlled/compromised DNS server and user computer. DNS tunneling attack leverages normal outbound DNS requests to the attacker’s server, providing attackers a covert command and control channel, and a data exfiltration path by Command and Control (C&C) method. Compromised data is encoded into several DNS host queries over time, allowing for the gradual exfiltration of sensitive data.
5.
Domain Name Squatting
Domain name squatting (also called Cybersquatting) is a type of DNS threat that attackers squat domain names to redirect users to malicious websites. Organisations may miss renewal dates on their domain names and the domain squatter takes advantage of the domain names to present a high risk to users visiting them. Squatting domains are often used or repurposed for attacks. For example, attackers can use squatting domains to distribute malware or to conduct scams and phishing campaigns.
Domain name squatting (also called Cybersquatting) is a type of DNS threat that attackers squat domain names to redirect users to malicious websites. Organisations may miss renewal dates on their domain names and the domain squatter takes advantage of the domain names to present a high risk to users visiting them. Squatting domains are often used or repurposed for attacks. For example, attackers can use squatting domains to distribute malware or to conduct scams and phishing campaigns.
6.
DNS Zone Transfer Attack
DNS zone transfer is a network mechanism for copying the contents of the zone file on a primary DNS server to a secondary DNS server. Without proper configuration of the authorised secondary DNS server transfer, attackers can replicate the internal IP addresses, servers and other information of an organisation from exposed DNS database (e.g. private domain records, SPF TXT records) through DNS zone transfer attack. Attackers can understand the network topology then deliberately exploit the information and infrastructure systems of an organisation.
DNS zone transfer is a network mechanism for copying the contents of the zone file on a primary DNS server to a secondary DNS server. Without proper configuration of the authorised secondary DNS server transfer, attackers can replicate the internal IP addresses, servers and other information of an organisation from exposed DNS database (e.g. private domain records, SPF TXT records) through DNS zone transfer attack. Attackers can understand the network topology then deliberately exploit the information and infrastructure systems of an organisation.
Protection Measures against DNS Attacks
Organisation can implement the following preventive measures to prevent threats and attacks on DNS:
1.
General Measures
Keep the operating system and software of DNS devices up-to-date; and deploy endpoint security software on them.
Properly configure the DNS server such as:
Set up a dedicated name server instance for each function such as authoritative name server and recursive resolver.
Create network-based dispersion of authoritative name servers for fault tolerance.
Split DNS with separate DNS servers for internal and external networks as a means of security and privacy management.
Perform regular backups on the DNS servers, including their configurations and zone files.
2.
Measures for DNS Registrants and Server Administrators
Use multi-factor authentication for accessing the domain registrar system and the DNS server.
Avoid using personal email addresses for organisational domain contact information or registrar access accounts.
Implement domain locking feature to prevent unauthorised and unsolicited transfers to another registrar.
Keep track of the registered domain name expiry date and renew the domain name registration prior to its expiry to avoid taking-over by attackers or others.
Keep all domain information of the registrant, technical, administrative, and billing contacts up-to-date, complete and correct. Stay vigilant to any unexpected registrar account change alerts.
Restrict DNS zone transfer from the master authoritative name server to a set of valid auxiliary name servers and refuse all other DNS queries.
Monitor and block suspicious DNS activities such as large number of subdomain lookups, large lookup size, long subdomains and uncommon query types (TXT records).
Implement Domain Name System Security Extensions (DNSSEC) where possible on the principal domains, and where practical, on any secondary domains to ensure the authenticity of DNS data.
Subscribe specialised DNS provider services that provide protection and mitigation to reduce the risk of DNS Flood attack.
Use “checkzone” and “checkconf” or similar utilities to identify DNS service misconfigurations.
Run authoritative DNS servers inside Demilitarised Zones (DMZs).
Subscribe DDoS mitigation service to fend off denial of service attacks.
Subscribe anycast service to distribute network traffic to resilient (slave) DNS servers (anycast nodes).
Enable Response Rate Limits (RRL) on the authoritative servers and slave servers.
Implement Response Policy Zone (RPZ) to control what queries can look up using a recursive DNS server.
Incident Response and Recovery for DNS Attacks
In the event of a DNS attack, the organisation should consider taking the following actions to effectively respond to and contain the incident:
1.
Estimate the scope, possible damage, and impact of the incident.
2.
Check whether domain names can still be resolved by resilient DNS resolvers.
3.
Anticipate the lead time for service resumption.
4.
Report to appropriate parties (e.g. IT administrators) immediately for investigation and cleansing. Report the cases to law enforcement or regulatory bodies such as the Hong Kong Police Force and the Office of the Privacy Commissioner for Personal Data respectively if criminal activities and leakage of personal data are involved. Seek advice from the Hong Kong Computer Emergency Response Team Coordination Centre (HKCERT) on incident response and recovery, if necessary.
5.
Identify the source of the DNS incident and block access to the respective malicious server.
6.
Reset the administrator login credentials if the administrator accounts are supposedly compromised.
7.
Take the infected devices offline and perform a complete scan of the devices concerned to verify if malware has been installed.
8.
Review the domain name registration records, such as the name servers, contact information, to ascertain that no unauthorised changes to the registration are made.
9.
Review audit logs to find out whether there are any unauthorised changes to server configurations or zone files. Recover from backups if it is suspected that they have been tampered.
10.
Perform a vulnerability scan on the affected hosts to plug known exposures.
11.
Investigate the root cause of the attacks, whether it is due to human error or security vulnerabilities exist in the computer systems, etc. and implement mitigation measures to cope with the attacks.
12.
Conduct a security audit to ensure the measures recommended for mitigating the risks are properly implemented.
13.
Report of phishing, spamming and other malicious acts on the Internet using domain names to the respective domain name registry and registrars.
Other DNS Security Features
1.
Domain Name System Security Extensions (DNSSEC)
Domain Name System Security Extensions (DNSSEC) enhances the security level by validating DNS data of a domain name during the IP address lookup. It uses cryptographic signatures to confirm the DNS data received is genuine. DNSSEC helps ensure data integrity and authenticate the origin of DNS data, and thus helps prevent attackers from redirecting users (at DNS level) to fake websites. However, it should be noted that the domain should be DNSSEC-enabled and the DNS resolver should be DNSSEC-aware in order to provide the protection.
DNSSEC-Enabled Name Resolution Workflow
Domain Name System Security Extensions (DNSSEC) enhances the security level by validating DNS data of a domain name during the IP address lookup. It uses cryptographic signatures to confirm the DNS data received is genuine. DNSSEC helps ensure data integrity and authenticate the origin of DNS data, and thus helps prevent attackers from redirecting users (at DNS level) to fake websites. However, it should be noted that the domain should be DNSSEC-enabled and the DNS resolver should be DNSSEC-aware in order to provide the protection.
DNSSEC-Enabled Name Resolution Workflow
1.
When a user tries to browse a DNSSEC-enabled domain, the DNSSEC-aware DNS resolver forwards the query to the authoritative name server.
2.
The authoritative name server then returns the IP address together with a digital signature.
3.
The DNS resolver verifies the digital signature to ensure the DNS data is not tampered.
4.
If attackers intercept the response and pass a fake DNS response to the DNS resolver, the DNS resolver will fail to verify the data and discard the fake responses.
2.
DNS Filtering
DNS Filtering is a technique of blocking access to certain websites, webpages, and IP addresses. DNS filtering solution filters domain names/IP addresses known to be malicious and reduces the risk of infection when a user attempts to access malicious sites. It can be implemented by DNS Blacklist and DNS Sinkhole. The DNS Blacklist provides automated, real-time checking of DNS queries against a list of malicious IP addresses. The DNS Sinkhole is configured to forge a response to a DNS-query for the known malicious domains (from the DNS Blacklist), resolving it to a definable but fake IP address to the client. If the client tries to access the fake IP address and there is a security rule in place, access to the malicious domain can then be blocked.
DNS Filtering is a technique of blocking access to certain websites, webpages, and IP addresses. DNS filtering solution filters domain names/IP addresses known to be malicious and reduces the risk of infection when a user attempts to access malicious sites. It can be implemented by DNS Blacklist and DNS Sinkhole. The DNS Blacklist provides automated, real-time checking of DNS queries against a list of malicious IP addresses. The DNS Sinkhole is configured to forge a response to a DNS-query for the known malicious domains (from the DNS Blacklist), resolving it to a definable but fake IP address to the client. If the client tries to access the fake IP address and there is a security rule in place, access to the malicious domain can then be blocked.
3.
WHOIS Privacy Protection
WHOIS is a query and response protocol that provides information on domain names and IP address blocks from a database. It stores and delivers database content in a human-readable format. The Internet Corporation for Assigned Names and Numbers (ICANN) currently requires the e-mail addresses, phone numbers, and even mailing addresses of all owners and administrators of domains to be publicly available.
To protect information of domain name registrants and administrators being demanded to be made public on WHOIS directories, there are domain privacy protection services available from domain name registrars which essentially masks domain contact information to protect the privacy of domain name registrants.
WHOIS is a query and response protocol that provides information on domain names and IP address blocks from a database. It stores and delivers database content in a human-readable format. The Internet Corporation for Assigned Names and Numbers (ICANN) currently requires the e-mail addresses, phone numbers, and even mailing addresses of all owners and administrators of domains to be publicly available.
To protect information of domain name registrants and administrators being demanded to be made public on WHOIS directories, there are domain privacy protection services available from domain name registrars which essentially masks domain contact information to protect the privacy of domain name registrants.
Extended Readings
1.
Internet Corporation for Assigned Names and Numbers (ICANN) - DNSSEC
2.
Asia-Pacific Network Information Centre (APNIC) - DNSSEC
3.
National Institute of Standards and Technology (NIST) - Secure Domain Name System (DNS) Deployment Guide
4.
Open Web Application Security Project (OWASP) - Anatomy of a DNS Cache Poisoning Attack
5.
Franco Palau, Carlos Catania, Jorge Guerra, Sebastian Garcia, and Maria Rigaki - DNS Tunneling: A Deep Learning based Lexicographical Detection Approach
6.
Hong Kong Computer Emergency Response Team Coordination Centre (HKCERT) - Security Advisory: Securing DNS Infrastructure
7.
Australian Cyber Security Centre (ACSC) - How to Combat Fake Emails
8.
Hong Kong Internet Registration Corporation Limited (HKIRC) - Technology FAQ
9.
Hong Kong Internet Registration Corporation Limited (HKIRC) - DNSSEC Theme Page
Disclaimer: Users are also recommended to observe the disclaimer of this website and read the user agreements and privacy policies of the security software and tools before downloading and using them.
Related topic(s):
Information For:
