General security

DNS security best practices: Preventing DNS hijacking, poisoning and redirection

Howard Poston
September 14, 2020 by
Howard Poston

The importance of DNS

The Domain Name System (DNS) is one of the fundamental protocols of the Internet. It provides a lookup service that converts domain names (like google.com) into IP addresses (like 192.168.0.0).

While DNS has always been an important protocol, the growing use of cloud-based services has made it even more so. IP addresses of services (such as Microsoft 365 servers) change regularly, and the DNS system is necessary to ensure that users of these services are connecting to the correct device.

A prime example of the importance of availability and security of the DNS infrastructure is the 2016 Distributed Denial-of-Service (DDoS) attack against Dyn, a widely-used DNS provider. During the attack against a single company’s servers, a significant number of major websites became inaccessible to a large number of users in Europe and North America.

Addressing common threats to DNS security

DNS can be attacked in a number of different ways. Among these are DNS DDoS, spoofing and amplification attacks.

DNS DDoS

The attack against Dyn is a classic example of a DDoS attack against DNS infrastructure. While the impact of a DDoS attack on Dyn was more widespread, these attacks can affect any organization. DNS is hierarchical, so an organization’s internal domains are governed by an internal DNS server (which can be the target of an attack).

Protecting against DNS DDoS attacks requires deploying a DDoS mitigation solution. This should filter out malicious requests while allowing legitimate ones to continue through.

DNS spoofing

A DNS spoofing attack occurs when an attacker causes a DNS server to send an incorrect response to a DNS query, enabling them to redirect users to attacker-controlled sites. This creates the opportunity for an attacker to steal sensitive data or attempt to exploit vulnerabilities in the user’s browser to drop malware.

In 2019, a large-scale DNS spoofing attack against Middle Eastern companies and government agencies was revealed. Cybercriminals would compromise DNS records for these organizations and redirect them to infrastructure that they controlled. After getting an SSL certificate for each domain, the attackers were able to decrypt and steal email and VPN credentials for these users.

DNS hijacking/redirection

DNS hijacking or redirection attacks can occur when a computer connects to a malicious or compromised DNS server. Since a DNS server provides a conversion from domain names to IP addresses, a DNS server that provides an incorrect IP address will cause the client computer to visit the wrong website.

DNS cache poisoning

Caching is a common technique to decrease latency. A server will store a copy of a response to common queries, eliminating the need to fetch it for each individual user.

DNS cache poisoning attacks are designed to place a false DNS record within a server’s cache. This is done by flooding a local DNS server with DNS responses in the hope that the one of the responses will match a request that the server recently sent out. If this is the case, the local DNS server will use the malicious response until the cache expires.

Mitigating DNS spoofing

Both DNS server operators and users can take action to protect against DNS hijacking attempts. DNS operators should:

  • Require multi-factor authentication for access to DNS servers
  • Keep DNS servers patched and up to date
  • Uninstall or disable unnecessary applications on DNS servers
  • Enable DNSSEC to ensure that DNS responses are digitally signed

For DNS users, detection of a hijacked DNS server can be more difficult. Some best practices include:

  • Using a free, trusted DNS such as Google Public DNS
  • Check historical data for a domain to see if its record has changed (may indicate a redirect attack if a record changed and it does not do so often)
  • Check age of issued certificate and cross-check with DNS record age (a new certificate after a domain change may indicate exploitation of DNS redirection attack)

DNS amplification

DNS amplification attacks use DNS servers to increase the impact of DDoS attacks. DNS is useful for these attacks because it uses UDP and has responses that can be much larger than the associated request.

In a DNS amplification attack, an attacker sends a DNS request to a DNS server with the source address spoofed to that of the target machine. The DNS server will respond to this query, sending a large amount of data to the target. Since DNS records are controlled by website owners, attackers can have custom domains designed to ensure that the target will receive much more data than the attacker receives. This amplifies the impact of a DDoS attack.

Blocking DNS amplification attacks at DNS servers can be difficult, as it is hard to differentiate the target’s legitimate DNS requests from spoofed attack traffic. However, the target of a DNS amplification attack can perform filtering using stateful packet inspection that drops any inbound DNS responses for which there was not a corresponding outbound DNS request.

The challenges of DNS security

The DNS is one of the most important components of the Internet. Without it, websites become largely unreachable, since the DNS is responsible for translating domain names into the corresponding IP addresses. Only if a system already knows the IP address of the target site could it reach it without relying on DNS.

Best practices for DNS security are the same as most other systems: restrict access, use MFA, enable security settings and keep everything up to date. However, the impact of a breach or loss of availability of DNS services makes taking these steps even more important.

Sources

Howard Poston
Howard Poston

Howard Poston is a copywriter, author, and course developer with experience in cybersecurity and blockchain security, cryptography, and malware analysis. He has an MS in Cyber Operations, a decade of experience in cybersecurity, and over five years of experience as a freelance consultant providing training and content creation for cyber and blockchain security. He is also the creator of over a dozen cybersecurity courses, has authored two books, and has spoken at numerous cybersecurity conferences. He can be reached by email at howard@howardposton.com or via his website at https://www.howardposton.com.