DNS SECURITY: ATTACKS, THREATS, VULNURABIITIES,

COUNTERMEASURES,RECOMMENDATIONS

GROUP 3
 Introduction

 The Domain Name System is a critical part of the Internet.

 It is the directory service responsible for translating domain names to IP addresses. Since it is
such a critical component, security is a very important issue in DNS.
 The Domain Name System is a system for resolving names into text/numbers.
 Its need is motivated by people generally being very bad at remembering arbitrary numbers, but
being much better at remembering letters and names hierarchically arranged
 DNS sec: The ability of the components of the DNS to protect the integrity of DNS information
and critical DNS system resources.”
 Vulnerabilities in DNS
1. UDP Transport Layer and IP Spoofing:
 The main weakness suffered by DNS has its origin directly in the use primarily of the UDP
protocol to transmit messages.
 UDP is a network transport protocol in which speed of transmission is given pride of place
and which sends and receives information without prior establishment of a connection or
confirmation of, or check on, delivery or reception of any message.
 This makes it feasible to falsify IP addresses (IP spoofing) and the substitution of question
and answer messages.
 Although the DNS imagines the use of TCP for transmitting messages, in specifications for
implementation it recommends employing UDP for queries, for reasons of efficiency.
 In view of the absence of any check or confirmation in UDP transmissions, final
responsibility for validating a message falls directly upon the DNS protocol.
Cont.…

2. Weaknesses in Identification and Validation of DNS messages.

 In parallel to the problem of the use of the UDP protocol for DNS message transport, there
are further design weaknesses in respect of the identification and validation of packets that
favour falsification of them.
 in Generic Format of DNS Messages MESSAGE, in the HEADER section of a DNS
transmission the ID field is intended to identify the message.
 This identifier, represented by a number of just 16 bits, plays an important part in the
mechanism for validating answer messages.

 Then the limited length combined with a weak validation procedure in UDP makes
attack supplanting Ips possible with relative ease.
 THIS IS THE GENERIC DNS MESSAGE FORMAT

SECTION DESCRIPTION
HEADER Contains information about the type of message. Includes fields
giving information about the number of entries in other sections of
the message.
QUESTION Contains one or more requests for information (queries) sent to the DNS
server.
ANSWER Contains one or more records responding to the query or queries
AUTHORITY Contains one or more records indicating the authoritative server for the
domain in question.
ADDITIONAL Records with additional information not essential for responding to the
query

NB: Depending on the type of message one or more sections may be null. The HEADER is always
present, as it contains important information about the message contents.
Cont. …
3. Unnecessary recurssivness.
 Not all name servers need to be recursive
 Authoritative servers not need to be recursive
 Recursive is complex and burdens servers
 Additional function means more potential vulnerability
DNS threats
1. Denial of Service (DoS) attacks are most likely to have widespread effects on the
stability of the Internet.
 A DoS attack could be against a single domain name, against the root servers that glue
together the Internet’s DNS, or against any part of the infrastructure in between.
 The impact of DoS would vary with the target. For example, without the root servers, the
Internet would effectively stop to function, although not immediately.
 The main strategy for repelling a DoS attack is overprovisioning, ensuring that the target
has more resources available than the attacker can consume.
 DNS operators who understand the critical nature of the service they provide have
designed the DNS very carefully, hardening systems against attacks, and using large-scale
replication technology to help ensure survival in the face of a DoS attack.
Cont.…

2. Data Corruption: attacks can be used to redirect Internet users to forged information
resources.
 When successful, they may result in theft, fraud, misdirection and expose a user to
significant risks, and in general reduce confidence and trust in the Internet.
 DNSSEC, extends the DNS to help prevent many data corruption attacks.
 When fully in place, DNSSEC will significantly reduce the risk of data corruption.
 Cont.…
3. Information Exposure: is the most vague of the threats to the DNS.
 can be damaging to some individuals and organizations, and can threaten the trust the
people have placed in the Internet.
 Information exposure can be minimized by securing the network paths used for DNS
and access control restrictions.
 The DNS itself has also been used as a vector for attack. While threats to the Internet
from the DNS have less impact on its resilience, stability and security, DNS operators
are taking these threats seriously.
 Many have put into place policies and procedures intended to minimize this type of
threat.
 Attacks on DNS

1. Cache poisoning
 Cache poisoning can be achieved by changing or adding a record to a name server’s cache.
 An attacker can use this technique to change A record to an IP address under his control, thus
redirecting traffic to himself.
 What makes this technique very effective is the heavy use of forwarders.
 Forwarders are name servers that a resolver forwards its incoming requests to. Thus if a record is
poisoned in a forwarder, all resolvers that forward to it will also be poisoned.
 Cont.…
2. DNS forgery
 DNS forgery is an attack in which the attacker forges a reply to a DNS query.
 This is done by beating the reply from the real server back to the client. This scenario is of Particular
importance when it comes to wireless networks.
 Every DNS query and reply contains a 16-bit ID number. The number in the reply must match the
number in the query.
 Without this keeping of state, an attacker could keep a victim with reply packets for a domain the
attacker knows the victim will look up, i.e. google.com.
 When a query was made, the victim would accept one of the flooded reply packets instead.
 The ID numbers make this harder, as the attacker has to match the ID number of the reply with the
query. In a wireless network, where all traffic is seen by all nodes, DNS forgery is a big issue.
 The attacker could then simply intercept all DNS queries on the network, and send back forged
replies to the victims he or she wants to attack.
 This won’t work on a wired network though. On a wired network, the attack will need to calculate or
predict the ID numbers of queries.
 Cont.…
3. Denial of service:
 (DoS) attacks are attempts to make a given service impossible or very hard to access.
 Attacks sometimes use brute force (saturating servers by flooding them with
simultaneous queries) or go for a more understated approach by exhausting a rare
resource on the server.
 Attacks made against the DNS root system in February 2007 were mainly DoS
attacks.
4. Distributed denial of service
 (DDoS) attacks are an elaborate form of DoS that involve thousands of computers
generally as part of a botnet or robot network:
 a network of zombie computers that the attacker commandeers/hijacks from their
unwitting/unaware owners by spreading malware from one machine to another.
 Cont.…
5. Reflected attacks
 Send thousands of requests with the victim’s name as the source address. When recipients
answer, all replies come together on the official sender, whose infrastructures are then affected.
6. Fast flux:
 In addition to falsifying their IP address, attackers can hide their identity by using this
technique, which relies on fast-changing location-related information to hide where the attack
is coming from.
 Variants exist, such as single flux (constantly changing the address of the web server) and
double flux (constantly changing the address of the web server and the names of the DNS
servers).
Recommendations for the mitigation of attacks

1. Use DNSSEC
 DNSSEC is a set of extensions to the DNS that provide authentication and integrity
checking of DNS data.
 Authentication ensures that zone administrator can provide authoritative information for any
particular DNS domain,
 while integrity checking ensures that information in the DNS cannot be modifid (accidentally or
maliciously) while in transit or in storage.
 DNSSEC requires both compliant DNS servers and security-aware DNS resolvers.
 DNS servers compliant with DNSSEC must support the additional types of DNS records needed for
DNSSEC.
 Security-aware DNS resolvers must be able to detect the new DNSSEC extensions, and must check
DNS data for authentication and data integrity.
Cont.…

 DNSSEC was designed to provide a strong cryptographic signature of DNS data that security-
aware (DNSSEC compliant) resolvers can verify to ensure data received over the network
hasn’t been modified since the data was signed.
 DNSSEC-signed DNS data can be retrieved from anywhere, regardless of any insecurities in
the networks over which the DNS may travel or intermediate systems in which the data may
reside.
 Any modification of the DNS data from what was originally signed at the authoritative source
can be detected, thereby allowing a security-aware DNS resolver to discard corrupt or
unauthorized data.
 Cont.…

2. Set up the best possible redundancy:

 so that a server affected by an attack can be seamlessly replaced by other servers
containing the same information, but connected to other networks.
 That is why registries such as AFNIC always require each domain name to be installed on
no fewer than two name servers.
 Other more sophisticated techniques, like any cast schemes, take redundancy to even
higher levels with clear improvements in terms of security and performance.
 Cont.…
3. Use the latest DNS software versions:
 especially BIND, and install the appropriate patches to prevent attacks exploiting well-
known security loopholes.
4. Regularly keep an eye on the servers and their configuration:
 Preferably from several points across the Internet. Due to the robust nature of the DNS
system, it often happens that a server failure is only detected when the last server in the
line also fails.
 To check the configuration, freeware is available, such as Zone Check.
 To monitor the network from outside, companies not wishing to deploy a specific
architecture can use existing commercial or community services.
 Cont.…
5. Define a "business continuity plan“:
 allowing the victim of an attack to continue or restore business with minimal downtime/stoppage
in the event of a major attack.
 This is a fairly essential precaution for all those that depend on the Internet – and therefore
 the DNS – for their revenues, particularly companies offering online services to their customers.
 GENERAL POLICY ON DNS
 measures recommended for reinforcing and protecting a DNS service in a
generic way and with specific reference to the DNS Bind software
 DNS Bind software, the most widely used around the world, which has currently reached
its ninth version.
 For this purpose, the elements making up the service as a whole are grouped into three
layers
1. Base Environment. Basic elements of the service at the level of systems and
communications.
o Operating System: The operating system of the server must be updated and patched.
o BIND Software: Checking and Follow-up of Software, Hiding the Version, assigning
permissions, Log File Configuration
o Network Topology: A good implementation of DNS should always separate servers
in accordance with their role.
When a network architecture is being designed for a DNS service, a clear separation of
functions depending on the information provided by the authoritative server should be
observed
Cont.…
2. Data Measures relating to data security.

o Parameterization: Values recommended:

TTL : 2 to 7 days.
Serial: Update with each change in zone files.
Refresh: 2 to 12 hours or 20 minutes to 2 hours (frequent updates)
Retry: 5 minutes to 1 hour
Expire: 2 to 4 weeks

o Information on zone records.

Hide TXT information and the version of BIND

3. Transactions. Protecting messages in DNS operations.

o Queries. Questions and Answers.

o Zone Transfers.
o Notifications.
o Dynamic Updates.
 Cont.…

4. Improvements in Authoritative Servers. Response Rate Limiting.

 Authoritative servers should be accessible so as to offer necessary information about the records
for which they are responsible.
 It is crucial to check that authoritative servers always reject recursive queries and provide
resolution only for records in their domain.
5. Use of Access Control Lists (ACLs) and IP Filtering.
 BIND makes it possible to restrict the IPs authorized to request a zone transfer by means of the
command allow-transfer, but this method is not effective in a well-worked-out spoofing attack. It
can be seen as a strengthening measure
6. TSIG (Transaction SIGnature).
 TSIG is the method that is recommended for protecting zone transfer transactions.
 With this approach, communication between servers is authenticated by using a key shared
among them
10q