Protecting Your Enterprise From DNS Threats
[The following is excerpted from “Protecting Your Enterprise From DNS Threats,” a new report posted this week on Dark Reading’s Security Services Tech Center.]
The Internet’s Domain Name System (DNS) plays a critical role in Internet communications: It translates human-readable computer hostnames into destinations defined by IP addresses — darkreading.com to 188.8.131.52, for example — so that they can be used by networking equipment, computers and software programs.
DNS is the world’s largest distributed database, supported by millions of domain name servers and administrators, each providing information about a small segment of the domain name space.
There are two main categories of name server. The authoritative name server is responsible for providing answers in response to queries about domain names in a zone — a portion of a domain name space for which it is responsible. For example, the DNS servers that answer for darkreading.com and resolve www. darkreading.com to an IP address are authoritative DNS servers. Every domain name appears in a zone served by one or more authoritative name servers.
The second category of server is a recursive name server: When it receives a request to resolve a domain name it doesn’t have cached, this server type will recursively query the DNS architecture for the appropriate authoritative DNS server to get an answer that can be cached and returned to the client. A server typically caches previous answers to queries for a certain amount of time (TTL, or time to live) to improve performance should it receive the same request again.
Every Internet-connected device and application is a client of the Domain Name System; even DNS servers in the process of resolving a name function as DNS clients. DNS clients have to trust the information they receive, but when DNS was designed back in the ’80s, scalability and availability were the key goals. Little attention was given to security.
For example, the accuracy and integrity of DNS records are vital, but they can be accessed by multiple people: the registrant who owns a domain name, the registry that sold it, the registrar that maintains records and the administrators of the top-level DNS servers. Should attackers get to a point at which they could alter or corrupt a domain’s DNS zone data, they could redirect all incoming traffic for that domain to a server they control. This server could then host fake sites to make political statements, capture personal information or install malware.
The open, distributed nature of DNS means it’s not possible for one technology or solution to eradicate the limitations inherent in DNS, so hackers continue to use it as a means of disrupting or hijacking online services.
Recent attacks by the Syrian Electronic Army (SEA) have exploited DNS weaknesses to modify DNS entries and redirect users accessing The New York Times, Twitter and Marine Corps websites to propaganda pages supporting the Bashar Assad regime.
The lack of a valid Web server certificate could alert users that they have not reached the genuine site, but these attacks can also capture all inbound email and enable an attacker to send emails using the victim organization’s domain. This would allow the attackers to impersonate the victim and register a new certificate. Control of an enterprise’s DNS and a valid Web certificate mean the attackers have effectively become the enterprise, often without having to hack into its network.
DNS attacks can either subvert the resolution of DNS queries, often by exploiting weaknesses in domain name administration practices, or use the DNS infrastructure as a means of launching distributed denial-of-service attacks (DDoS).
To learn more about the nature of DNS attacks — and what you can do to prevent them — download the free report.
Have a comment on this story? Please click “Add a Comment” below. If you’d like to contact Dark Reading’s editors directly, send us a message.