DNS Security

Why is DNS security important?

Almost all network traffic requires the use of standard DNS queries, which creates opportunities for DNS vulnerabilities such as DNS hijacking and en-route attacks. These attacks can redirect incoming traffic from a website to a forged copy of the website, thereby collecting confidential user information and holding the company heavily responsible. One of the most widely known methods of defending against DNS threats is to use the DNSSEC protocol.

 

What is DNSSEC

DNSSEC stands for Domain Name System Security Extension, which is a technology used to protect information in the Domain Name System (DNS) used on IP networks. Provides authentication of the source of DNS data to help prevent attacks and protect data integrity.

How DNSSEC works

The DNS turns domain names, or website names, into internet protocol (IP) addresses. These are unique identifiers that help computers around the world access the information quickly. DNS security adds a set of extensions for increased protection

These security extensions include:

  • Origin authentication of DNS data: this ensures that the recipient of the data can verify the source.
  • Authenticated denial of existence: this tells a resolver (responsible for translating the domain name into an IP address) that a certain domain name does not exist.
  • Data integrity: this assures the data recipient that the data has not been changed in transit.

Why do we need security in DNS?

DNS helps direct network traffic to the correct destination. Everyone everywhere uses it, and all Internet traffic flows through it. Therefore, it is a highly sensitive system, vulnerable to cyber attacks, which are designed to control DNS, infect and extract all data from it.
Because many modern companies only use a few DNS servers, they are vulnerable to DNS server security risks. As a result, this may make them unable to defend against large-scale attacks, which may result in a large amount of traffic to the website that may cause the server to crash and prevent users from finding the website. In addition to disrupting DNS, malicious attacks can also exploit security vulnerabilities in servers running DNS services to extract valuable data such as passwords, user names, and other personal information.
These pose serious business problems and make DNS security a key component in ensuring online security.

Common DNS security threats

Without adequate DNSSEC, enterprises may be exposed to:

  • Distributed denial of service (DDoS) attacks: A DDoS takes advantage of multiple systems’ security vulnerabilities, such as those compromised by malware, and sends large volumes of traffic to a website or web-based application. These may cause servers to crash and render the website or application unusable. These attacks can affect customers and potentially cause a loss of revenue. Today’s DDoS attacks are becoming more sophisticated, attacking deeper into the application layer, whereas previously they only affected the outer network and transport layers.
  • Amplification attacks: This is when hackers exploit vulnerabilities in a DNS server to turn smaller queries into much larger ones, which again, can crash servers. An amplification attack is a type of reflection attack, which involves flooding public DNS with multiple UDP (user datagram protocol) packets. These packets are inflated with the aim of crashing servers. The term “reflection” refers to when DNS resolvers elicit a response to a fake IP address, which is sent out as a DNS query as part of the attack.
  • DNS hijacking: In DNS hijacking, the attacker redirects queries to other domain name servers. This can be done by malicious software or an unauthorized modification of the DNS server. Although the result is similar to DNS spoofing, this is a completely different attack because it targets the website’s DNS records on the name server, not the resolver cache.
 
NXDOMAIN attack:
This is a DNS flood attack. Attackers use requests to flood the DNS server to request records that do not exist in an attempt to cause a denial of service to legitimate traffic. This can be done using sophisticated attack tools that can automatically generate a unique subdomain for each request. NXDOMAIN attacks can also target recursive resolvers. The goal is to fill the resolver cache with garbage requests.
 
Phantom domain attack:The phantom domain attack has similar results to the NXDOMAIN attack on the DNS resolver. The attacker set up a set of “virtual” domain servers, which responded very slowly to requests or did not respond at all. Then, the resolver receives a large number of requests for these domains, and the resolver falls into a state of waiting for a response, resulting in performance degradation and service denial.

Random subdomain attack: In this case, the attacker sends DNS queries for several random, nonexistent subdomains of one legitimate site. The goal is to create a denial-of-service for the domain’s authoritative nameserver, making it impossible to lookup the website from the nameserver. As a side effect, the ISP serving the attacker may also be impacted, as their recursive resolver’s cache will be loaded with bad requests.

Domain lock-up attack: Attackers orchestrate this form of attack by setting up special domains and resolvers to create TCP connections with other legitimate resolvers. When the targeted resolvers send requests, these domains send back slow streams of random packets, tying up the resolver’s resources.

Botnet-based CPE attack: These attacks are carried out using CPE devices (Customer Premise Equipment; this is hardware given out by service providers for use by their customers, such as modems, routers, cable boxes, etc.). The attackers compromise the CPEs and the devices become part of a botnet, used to perform random subdomain attacks against one site or domain.

What is the best way to protect against DNS-based attacks?

In addition to DNSSEC, DNS zone operators can take more measures to protect their servers. Over-provisioning the infrastructure is a simple strategy to overcome DDoS attacks. In short, if your domain name server can handle several times more traffic than expected, then volume-based attacks can hardly overwhelm your server.
Anycast routing is another useful tool that can disrupt DDoS attacks. Anycast allows multiple servers to share an IP address, so even if one DNS server fails, there will still be other servers running. Another popular strategy for protecting DNS servers is the DNS firewall.

What is a DNS firewall?

A DNS firewall is a tool that can provide a number of security and performance services to DNS servers. The DNS firewall sits between a user’s recursive resolver and the authoritative name server of the website or service it is trying to access. Firewalls can provide rate limiting services to stop attackers who try to overwhelm the server. If the server experiences downtime due to an attack or for any other reason, the DNS firewall can keep the operator’s website or service running by providing DNS responses from the cache. memory.
In addition to security features, DNS firewalls can also provide performance solutions such as faster DNS lookups and lower bandwidth costs for DNS operators. Learn more about Cloudflare’s DNS firewall.

DNS as a security tool

DNS resolvers can also be configured to provide security solutions to their end users (those who browse the Internet). Some DNS resolvers offer features such as content filtering, which can block websites known to spread malware and spam, and botnet protection, which blocks communication with known botnets. Many of these secure DNS resolvers are free, and users can switch to any of these recursive DNS services by changing a unique setting in their local router. Cloudflare DNS focuses on security.

Are DNS queries private?

Another important DNS security issue is user privacy. DNS queries are not encrypted. Even if a user using a DNS resolver such as 1.1.1.1 does not track their activity, DNS queries travel the Internet in plain text. This means that anyone who intercepts the request can see the website visited by the user.
This lack of privacy has implications for security and, in some cases, human rights; if DNS queries were not private, it would be easier for governments to censor the Internet and it would be easier for attackers to track user behavior online.
DNS over TLS and DNS over HTTPS are two standards for encrypting DNS queries to prevent external parties from reading them. Cloudflare DNS supports both of these standards. Cloudflare is also working with other organizations to help improve DNS security – for example, helping Mozilla enable DNS over HTTPS in its Firefox browser to protect users.