DNS Security Threats
The Domain Name System (DNS) is a service used on both the Internet and private networks to translate Internet Protocol (IP) addresses to Fully Qualified Domain Names. Example, this service allows someone to type a FQDN like www.zymitry.com to reach the Zymitry web site instead of having to type in the domains IP address. Regarding security, Domain Name Service provides another method for administrators to control network traffic. Network devices and applications such as firewalls, proxy servers, and web browsers can be used to block unwanted communications based on DNS names. Domain Name Service can be exploited by attackers in several ways to include buffer overflow attacks and DNS cache poisoning.
The following is a list of common DNS threats. These threats are both technical, and non-technical in nature:
- Typosquatting: The practice of registering a domain name that is confusingly similar to an existing popular brand. Recent research has shown that typosquatting is becoming a profound risk to the confidentiality of corporate secrets and should be increasingly thought of as a security problem. Typosquatting is not only about attackers opportunistically registering confusingly similar domains in the hope of benefiting from misdirected Web traffic, it can also be used to steal information. To mitigate against this threat it is recommended for administrators to monitor newly registered domain names against other similar domain names. Information about new domain registrations is often freely available from registries, and there are many companies that offer dedicated digital brand management services.
- Distributed denial of service attacks (DDoS). DDoS is not considered a threat specific to DNS, however, DNS is particularly vulnerable to DDoS attacks because it represents a logical choke point on the network. Recommended DDoS mitigation measures are as follows:
- Don’t count on a firewall to prevent or stop a DDoS attack. The first step is to recognize that your firewall is insufficient protection against the types of DDoS attacks that are increasingly common today. Firewalls should be considered only one component of a DDoS mitigation strategy.
- Incorporate DDoS into the organizations Disaster Recovery Plan (DRP) and Business Continuity Plans (BCP). Measure the financial impact of being offline for a period of time.
- Monitor networks and know how to identify DDoS attacks. Use firewall DDoS detection applications.
- Know your customers and users, and lock out unexpected transactions.
- If a DDoS attack occurs, look for fraud, data breaches or other criminal activity.
- Employ consultants and security professionals that know how to identify and recover from DDoS attacks.
- DNS Amplification Attacks. DNS amplification is a tactic used in DDoS attacks that leverages DNS servers deployed in insecure “recursive” configurations. Recursion is a feature of DNS that allows for domain name resolution to be handed off to more robust name servers. Running a recursive DNS server that is open to the entire Internet is no longer considered acceptable security practice. Securing against this threat is usually achieved with a simple configuration change.
- Registrar Hijacking. Domain names are registered via a registrar company, and these represent single points of failure. If an attacker can compromise your account with your chosen registrar, they gain control over your domain name allowing them to point it to the servers of their choice. To mitigate against hijacking, choose a registrar that follows accepted security authentication or offers additional security precautions such as multi-factor authentication.
- Cache Poisoning. Vulnerabilities in the DNS protocol itself could allow an attacker to inject fraudulent addressing information into DNS caches. Users accessing the cache to visit the targeted site would find themselves instead at a server controlled by the attacker. An attacker can setup this counterfeit site to look like the original and use it to harvest information such as user names and passwords. Mitigation against DNS cache poisoning is often done using the DNSSEC protocol. Once DNSSEC adoption becomes universal, adding a DNSSEC digital signature to a domain name will mean that browsers and ISPs will be able to validate that DNS information they receive is authentic.
Mohan, R. (2011, October 05). Five DNS Threats You Should Protect Against. Retrieved May 16, 2018, from http://www.securityweek.com/five-dns-threats-you-should-protect-against.
Musthaler, L. (2013, January 10). Best practices to mitigate DDoS attacks. Retrieved May 16, 2018, from http://www.networkworld.com/article/2162683/infrastructure-management/best-practices-to-mitigate-ddos-attacks.html.
Weaver, R., Weaver, D., Farwood, D., & Weaver, R. (2012). Guide to Network Defense and Countermeasures (3rd ed.). Boston, MA: Course Technology, Cengage Learning.