DNS, or Domain Name System, is the protocol used for converting fully qualified domain names (FQDNs) like www.google.com into machine-usable IP addresses that computers use to communicate with each other. Without a working DNS protocol, it would be almost impossible to have an Internet of Things that communicate with each other and organizations would not have a cyber-presence. In short, the internet as we know it would not exist without a robust DNS infrastructure.
Given that DNS servers are mission-critical infrastructure, it is crucial that they continue to respond to queries even when they are under attack. When designing a DNS infrastructure, it is important to build an environment that is not only sufficient for current needs, but also provides room for future growth. In addition, while architecting the DNS, it is also important to understand the security threats the DNS might be vulnerable to.
Securing the DNS platform against hacking
Hacking of DNS servers is becoming more prevalent every day. Conventional DNS servers have multiple attack surfaces and extraneous ports such as port 80 and port 25 that are open for attack. Hackers can use these ports to access the operating system (OS) and hack the servers. If an enterprises’ DNS servers don’t support tiered security privileges, any user could potentially gain access to OS-level account privileges and cause configuration changes that could make the servers vulnerable to hacks.
In order to protect DNS services from various hacks, DNS servers should be secured in the following ways:
- Hardened appliance with minimal attack surface – The infrastructure should not have any extra or unused ports to access server or power external devices (e.g. Wi-Fi) and no root login access within operating system. It should have role-based access to maintain overall control
- Secured access methods – There should be two-factor authentication for secured login access, web and API access should use encryption to secure communication and DNS TSIG keys should be used for strong authentication of DNS updates
- High availability and disaster recovery – Simple, configurable fail-over and fail-back to ensure service availability
- Simple, unified updates for OS and applications – Updates for both the OS and applications should be accomplished in a single process to reduce downtime and risk of incompatibility
- Security certification by an accepted industry organization – External validation of security measures must be taken on hardware, applications/OS, and manufacturing process. The bar should be set at a minimum of Common Criteria EAL2 certification which covers verification of hardware, software and manufacturing processes
- Simple DNSSEC implementation – DNSSEC reduces the risk of attacks like cache poisoning. It should be simple to implement and self-manage the updating of encryption keys between servers
- Secure Forwarder Configuration – Restrict queries to DNS Forwarder servers to those sent by authorized addresses
- Detailed audit logging – This enables compliance and control over server configurations and operations
Defending against DNS attacks
Another consideration is the protection of the DNS infrastructure from external attacks. Authoritative DNS servers are reachable from the internet. Even though the server sits behind a firewall, most of these attacks cannot be mitigated by typical firewalls. Firewalls are ill-prepared to protect DNS against application-layer attacks. The ones that do, the so-called NextGen firewalls, tend to have very little coverage for DNS protocols. These solutions typically spread their security policies across a large number of protocols and sacrifice depth for breadth of coverage.
There are a whole spectrum of attacks that can target DNS:
- Dos/DDoS – Send 10s or 100s of thousands of queries per second to the DNS server in order to exhause resources on the server and cause a service outage
- DNS reflection/DrDoS – Use 3rd party DNS servers (open resolvers) to propagate DDoS attacks
- DNS amplification – Use specially crafted queries to amplify response and congest bandwidth
- DNS-based exploits – Attacks that exploit vulnerabilities in the DNS software
- TCP/UDP/ICMP floods – Flood a victim’s network on Layer 3 with large amounts of traffic
- DNS cache poisoning – Corrupt the DNS cache data with a rogue address
- Protocol anomalies – Cause the server to crash by sending malformed packets and queries
- Reconnaissance – Attempts by hackers to get information on the network before launching attacks
- DNS tunnelling – Tunnelling of another protocol through DNS for data exfiltration
Protection from these attacks should be done at the DNS level. The DNS appliance should have:
- Intelligent detection and mitigation – It should detect and drop the attack queries before they reach the core DNS server. The DNS server should not spend valuable CPU and memory resources to process these requests. This can be achieved by offloading the threat protection to built-in dedicated compute
- Automatic threat updates – It should stay up-to-date with new and evolving threats automatically. There should be no need for writing scripts or manually applying new protection rules to the DNS server every time a new threat is detected
- Fine-tuning of protection – DNS traffic patterns and attacks might not be the same for each organization and customization of protection is necessary to minimize false positives. It should allow for adjusting of parameters for each rule and customize them for the environment
- Centralized visibility of attacks – Centralized reporting capability is important to provide visibility into the load on the system, diagnose problems, and identify attacks that are happening across the network
- Secure Authoritative Name Servers – External authoritative name servers should have recursion disabled. Inbound/outbound zone transfers should be disabled or secured with TSIG to prevent resource exhaustion attacks
Preventing Malware and APTs from Using DNS
Data breaches are growing at a staggering pace. Investing in next-generation firewalls or Intrusion Prevention Systems (IPSs) can stop some Malware from entering the network, but not all. Trends like Bring Your Own Device (BYOD) complicate the situation further and provide new avenues for Malware to enter and go undetected for longer periods of time.
Malware and APTs evade traditional defences by using DNS to find and communicate with botnets and command-and-control servers. Botnets and command-and-control servers hide behind constantly changing combinations of domains and IP addresses. Once internal machines connect to these devices, additional malicious software is downloaded or sensitive company data is infiltrated.
Sometimes Malware and APT attacks are hidden or disguised by external attacks on networks. During an external attack, IT staff are distracted in protecting the network and might miss alerts or warning logs about Malware and APT activity within the network.
In order for DNS to detect and block queries for malicious domains and networks, a Response Policy Zone (RPZ) must be configured and implemented. At a very minimum the RPZ must have the following capabilities:
- Configurable RPZ policy – RPZ should be configured to apply either Pass-through, Block, NXDOMAIN or Substitute policies to malicious traffic
- Up-to-date threat data – The threat data should come either from Generic malware or targeted APT (though ideally, it would come from both)
- Timely visibility on malicious DNS queries and infected devices – data should include the number of attempts to reach malicious domains, the names of the malicious domains and the date/time.
Security built in is better than security bolted on
Many IT organizations today are using load-balancers, IPS and firewall devices, generic DDoS protection solutions and cloud-based solutions to try and counter DNS-based attacks. All of these solutions are limited in what they can and cannot protect. Most of them are external solutions that are “bolted on” rather than built from the ground up to secure enterprises’ DNS against attacks. None of them can compare to the effectiveness of a purpose-built, DNS-specific defense solution.