DNS Security, an Overlooked Threat
Posted by Brewcity on September,01 2016
The Domain Name System is perhaps the most relied upon piece of the internet technology stack. Every internet user accesses DNS servers many times per day, often in ways that go unseen. While DNS services are often very reliable, there are ways in which they might fail that place individuals at risk for security threats. Not only is DNS security of concern for individuals, but a poorly-configured DNS server or an improperly secured network can be crippled or partially taken over by an attacker with access to an internal DNS server. Here are some of the most common current DNS security threats for which to watch out.
Distributed Denial of Service
Because dns security servers are used heavily, they represent an ideal DDoS bottleneck for attackers. DNS is easily overloaded, and it can be difficult to detect excessive traffic unless specific DNS monitoring is in place. Once overloaded, the ubiquitous need for DNS infrastructure becomes its undoing. Applications will perform a DNS lookup, block while waiting for results, fail to connect, then drop the originating request. Unless they are colocated alongside the DNS servers, failing applications will appear otherwise performant, making tracking down the root cause more difficult.
A more advanced DDoS strategy capitalizes on one of DNS' strengths. A DNS server can be configured to be recursive, forwarding packets upstream to other servers in order to provide a more complete response. By spoofing IP addresses to appear as if they originate within the DNS' local network, attackers can turn one DNS server against another by having it perform requests that are many times larger than the original.
Unfortunately, mitigating this attack is rather difficult, as recursive DNS resolvers are a critical piece of any optimized network or intranet. The surest strategy involves working with the routing tables, ensuring that packets claiming to originate on the network cannot be injected from outside.
One common DNS-based attack involves registering a domain name similar to that of a major internet service, capitalizing on typos to gain internet traffic. Sites might pose as surveys or contests, capturing personal details by pretending to be affiliated with the site on which the domain name was based.
Another strategy involves sending email that originates from typoed domain names. Anyone who does not carefully scrutinize the sending email domain might believe themselves to be communicating with someone from the impersonated company or organization, revealing details that they otherwise would have kept private. Domain squatting is particularly insidious because it cannot be accounted for within an organization's own security practices. It is a threat that can only be addressed by paying careful attention to the emails and websites with which each individual interacts.