What is the Domain Name System (DNS)?
by Gregory V. Chapman
Domain Name System (DNS) is a naming system used for services, computers, as well as other devices connected to a private network, or simply the Internet. It is generally a naming system done hierarchically and decentralized. This naming system incorporates different data with names of domains given to each participating entity.
However, what DNS is primarily known for is its ability to translate memorized domain names and turn them into numerical IP addresses. These IP addresses are then used to identify, and in some cases locate computers and devices with the underlying network protocols. DNS has been part of the internet for more than two decades by providing a comprehensive, distributed directory service.
DNS is a critical protocol for Internet operations, many operating systems, and applications, which is why it's imperative DNS servers to be secured to prevent them from being used maliciously. Attackers find it too easy to alter the company DNS settings and configurations.
Hackers can, therefore, alter and change DNS records by accessing login credentials. This means that they can redirect traffic to their own site as effectively as if they had hacked the genuine web server itself. To get DNS login details, hackers and attackers use social engineering or phishing email attack to intercept weakly protected DNS servers.
How do Attackers Alter DNS Configuration?
Due to imperfections in the implementation of the DNS protocol, hackers can easily gain access to disrupt DNS configurations. An important component of DNS is a DNS open resolver. A DNS resolver is merely a DNS server used by clients without administrative clearance to its domain. This allows them to use that server for implementing recursive name resolution.
Primarily, a DNS open resolver provides responses to queries from just about anyone, making them defenseless against malicious activities, including, but not limited to:
- DNS cache poisoning attacks.
- DNS Amplification and Reflection Attacks.
- Resource utilization attacks
- DNS flood attack
- Denial of service (DoS)
- Distributed Reflection Denial of Service (DRDoS)
- Fast flux
What are DNS Cache Poisoning Attacks?
This is when a hacker or attacker forges RR data and sends these forged data to a DNS open resolver, which is, in turn, saved to the DNS cache for a lifetime. A hacker must accurately prognosticate the DNS transaction identifier, to successfully find and exploit this falsified information on the DNS resolver.
Attackers use this exploitation method to redirect or send users from authentic websites to malicious ones. An attacker may drive the traffic away from real DNS servers to a“pirate” server. Other forms of poisoning can be found at Practical Web Cache Poisoning.
There are also cache poisoning tools available to help organizations prevent cache poisoning attacks. The most popular cache poisoning prevention tool is probably DNSSEC (Domain Name System Security Extension). DNSSEC is a cache poisoning tool developed by the Internet Engineering Task Force that provides secure DNS data authentication.
DNS Amplification and Reflection Attacks
Hackers and attackers use DNS open resolvers to amp up the number of attacks and to conceal the real source of an attack. They also do this by sending messages to the open resolvers using a forged IP address as sources. And to amplify the attacks on target destinations, hackers employ various DNS open resolvers.
Resource Utilization Attacks
These are attacks on DNS open resolvers that consume resources, such as CPU, memory, and socket buffers on the device to negatively impact operations of the open resolver. Users can reboot their devices or stop an ongoing service for these sorts of attacks to cease.
DNS Flood Attack
The primary aim of a DNS flood attack is to overwork your server with an unnecessary load so that it cannot continue serving DNS requests as the resolution of DNS resource records is influenced by all the hosted DNS zones.
Denial of Service (DoS)
In computing, when there is a DoS attack, the attacker tries to make a device or network resource unavailable to its designated users. These attacks are carried out by momentarily or indefinitely interrupting services of a host linked to the web.
For Denial of Service(DoS) to occur, the perpetrator will typically flood the targeted user's device or resource with excessive commands to overload their system and override some or all legitimate requests from being answered. A DoS or DDoS attack is comparable to a group of people pushing their way into the doorway of a shop, making it hard for real customers to enter. Thus, disrupting trade!
Distributed Reflection Denial of Service (DRDoS)
The ultimate aim of any DDoS is to overwork your network with several packets or a large number of bandwidth-consuming requests to either overload your network capacity or to exhaust your hardware resources.
Also, attackers focus on popular services like database systems, SSH services, or web servers.
DNS server configurations that lack proper security can sometimes lead to severe problems such that:
- Hackers can misuse the system for activities such as transferring DNS zones.
- Attackers can modify DNS resolvers to report different IP addresses to scam people.
- Attackers can redirect web and email traffic, or launch dangerous DNS amplifying attacks, among other types of attacks
When any of the items listed above occur, website visitors cannot detect that their incoming website traffic has been redirected to another server. They also cannot detect that their email was sent to a different server than the original MX servers from the attacked domain.
This is a technique to continually change location-based data to hide the exact source of the attack. This helps to conceal the attacker's true location, giving him sufficient time to carry out the attack. There could either be a single or double flux or other variants.
A single flux changes the address of the web server while double flux changes both the address of the webserver and the names of DNS servers.
Ways of Preventing DNS Attack
#1 Auditing of DNS Zones
The most important thing to review apart from the DNS configuration is the DNS zone. Reviewing all your zones, records and IP reduces the risks of being attacked. Auditing DNS zones involves some processes such as:
- Verification of the Audit Policy' Audit Directory Service Access' to know if it is enabled.
- Configuration of the Audit Policy.
- Configuration of the DNS zone.
#2 Configuration Against Cache Poisoning
It's always advisable to configure your device to be as guarded as possible against cache poisoning. This adds variability to outgoing requests, making it challenging for intruders to get a bogus response accepted.
This is one of the ways of protecting DNS against cache poisoning, which includes:
- It can randomize the query ID.
- It utilizes random source ports instead of a standard UDP port 53.
- It randomizes the letter cases of the domain names that are sent out to be resolved.
#3 Keep Your DNS Servers Up-to-date
While administering personal Name Servers, it allows you to configure, test, and try everything that appears impracticable using private DNS servers like the ones with your hosting provider. It also helps when signing up for an account at Cloud Flare.
If you choose to run your DNS servers, using software like BIND, PowerDNS, NSD, or Microsoft DNS, it's crucial to keep these packages up-to-date to limit or stop service exploits-targeted bugs and vulnerabilities.
#4 Hiding the BIND Version
BIND is an open-source program that resolves DNS queries for users. BIND is popularly used by a large number of DNS servers on the internet. Hiding the BIND version is a way of protecting information from attackers.
If you run your own name servers, using BIND or Microsoft DNS, then it's critical to keep them updated regularly. You must also keep the operating system on which the patches run up-to-date to prevent them from being exploited by perpetrators. A patch management system is a critical security tool.
#5 Restrict Zone Transfers
In most instances, slave name servers may require a zone transfer, which effectively is a copy of the master server's DNS database. The zone records comprises lots of data that help an attacker to learn the topology of your network. This is especially useful, if they are planning an attack.
This technique can sometimes be utilized by slave name servers to query master DNS servers. Beware of this because attackers can try to perform a DNS zone transfer to have a better understanding of your network topology. A simple process of how to go about it is found at Plesk Documentation and Help Portal.
#6 Disabling DNS Recursion to Prevent DNS Poisoning Attacks
Most BIND servers have their DNS recursion enabled by default on all Linux distributions, and this can lead to severe security issues, like DNS poisoning attacks, among others. For more ways of preventing DNS traffic from intruders, the National Institute of Standards and Technology has published a Secure DNS Deployment Guide.
Other measures against DNS attacks include:
- The use of digital signatures and certificates to authenticate sessions to protect private data.
- The replication of data in other servers. This is especially helpful in case data is corrupted or lost in one server; it can be recovered from the others.
- The blockage of unnecessary queries helps to stop spoofing and limiting the number of possible questions.
Hackers will try to invade public service companies looking for weaknesses to attack and do nefarious activities. Ensure you have visibility into your servers and monitor any changes made to them or unexpected behavior. The quicker you can spot malicious activity, and the less likely your domain can be subverted.
About the Author
Gregory is passionate about researching new technologies in both mobile, web and WordPress. Also, he works on writing service review websites Online Writers Rating. Gregory in love with stories and facts, so Gregory always tries to get the best of both worlds.