Maksim Kabakou - Fotolia
A recent high-profile attack on large US-based DNS provider Dyn resulted in website down-time for several of the internet’s most well-known brands, forcing many organisations to consider – perhaps for the first time – the risks associated with domain name system (DNS).
The DNS functions as the internet’s phone book. It translates user-friendly domain names into IP addresses so internet traffic can be directed to the correct hosting server.
At first glance, it may appear that the role of DNS is confined to web pages, but it is also widely used by mail transfer agents to deliver email, for correctly identifying voice over IP (VoIP) telephones, and in establishing virtual private network (VPN) connections.
Given its widespread importance, a successful attack on DNS could significantly disrupt an organisation, far beyond users being unable to access a website.
DNS is often poorly secured, and attacks can be profitable for attackers and cause widespread disruption.
There are a number of ways DNS can be targeted, including distributed denial of service (DDoS), where an individual DNS server or provider can be targeted by a DDoS attack, in which they are flooded with malicious traffic, blocking legitimate requests. One variation on this is an amplification attack, whereby a small request to a DNS server is used to generate large responses, consuming significant computing resources.
Another way is through SYN floods, a popular kind of denial of service attack in which an attacker sends spoofed data packets to bogus destinations, forcing the DNS server to attempt to establish a connection. Acknowledgement packets are never received, leaving connections, consuming server resources and preventing legitimate requests.
DNS Hijacking is yet another way of targeting DNS. The internet connection of a target machine is reconfigured – by using malware, for example – to point at a rogue DNS server, redirecting users to destination IPs of the attackers choosing.
Finally, DNS Tunnelling can be used to target DNS. The DNS protocol – operating on UDP port 53 for normal requests – is used as a means of “tunnelling” through security systems to steal data. The channel is not normally used for sending information and so is not always monitored by security systems.
Read more from Computer Weekly’s Security Think Tank about DNS security
- Know the business risks of using the internet.
- Top three DNS-related security risks.
- Business should arm against rise in DNS server attacks.
- Add risk of DNS attack to business continuity plan.
- Use DNS proxy services to bolster security.
- DNS, the underdog in cyber security strategy.
- Look to security best practices to secure DNS.
Organisations should conduct a full risk assessment of their infrastructure to identify and mitigate possible risks.
A defence-in-depth strategy is required to adequately secure DNS and prevent its misuse. Key recommendations include:
- Inclusion of UDP port 53 in traffic analysis to identify DNS tunnelling and data theft.
- Patch DNS servers regularly to minimise vulnerabilities.
- Use separate DNS servers for internal and internet resolution with the internal server located behind network defences to prohibit access to external attackers.
- Ensure access to DNS servers is restricted to those that require it (using secure passwords) to reduce opportunities for accidental or malicious misconfiguration.
In conclusion, DNS is often poorly secured and will remain a target for attackers. Organisations should review security around their DNS and consider appropriate defences to reduce the risks of misuse and costly service disruption across critical business functions.