This column is available in a weekly newsletter called IT Best Practices. Click here to subscribe.
The global Domain Name System (DNS) is ubiquitous across the Internet. It's absolutely fundamental to the way we work. It's a whole lot easier to bring up a browser and type www.Google.com rather than try to remember its more complex address of http://184.108.40.206/.
DNS is so important that we tend to regard it as Internet plumbing: it goes everywhere, it gets through all the firewalls and it's there when we need it—usually. Unfortunately, DNS also has the characteristic of being poorly secured, which can lead to all sorts of problems.
Just as metal thieves have figured out that copper plumbing in old houses has value as scrap, cyber attackers have learned the value in using DNS to attack infrastructures and steal data.
Most of us became acutely aware of how DNS could be abused as an attack tool in March 2013 when the anti-spam organization Spamhaus was hit with a massive 300Gbps DNS reflection (or DNS amplification) DDoS attack. According to CloudFlare, the security company called in to rescue Spamhaus from the attack, DNS reflection has become the source of the largest Layer 3 DDoS attacks they see, many of which exceed 100Gbps.
In a blog post detailing the Spamhaus case, CloudFlare explained how a DNS reflection attack works:
The basic technique of a DNS reflection attack is to send a request for a large DNS zone file with the source IP address spoofed to be the intended victim to a large number of open DNS resolvers. The resolvers then respond to the request, sending the large DNS zone answer to the intended victim. The attackers' requests themselves are only a fraction of the size of the responses, meaning the attacker can effectively amplify their attack to many times the size of the bandwidth resources they themselves control.
Following that attack, network administrators the world over were advised to lock down their open DNS resolvers. Good information on how to do that can be found in this Infoblox blog post.
Another kind of attack called resource exhaustion is frequently aimed at ISPs and their DNS resolver infrastructure. Security vendor Cloudmark describes this type of attack in a white paper:
In order to perform this attack, the attacker must first have registered a domain and designated the intended target's name server as the authoritative server for that domain or use an existing domain whose authoritative server is already the intended target.
Then using a botnet of compromised machines, the attacker directs the machines to send a flood of requests through a botted machine's ISPs' recursive name servers. Additionally the attacker may flood requests through any known open resolvers that may reside within an ISP's network. Each request will contain a unique, randomized, and non‐existent sub‐domain of the previously registered domain (ex. kbsruxixqf.www.500sf.com, adujqzutahyp.www.500sf.com).
Because of the uniqueness of the sub‐domains, each request will then trigger a recursive lookup against the target's name server. As the attack grows in size, the amount of requests hitting the intended target's name servers grows as well. Eventually the target's DNS infrastructure will buckle under the load, either from system resource depletion, network saturation or both.
Once the ISP's DNS resolver infrastructure goes down, there is essentially no Internet access for the provider's subscribers. This underscores the need for ISPs to deploy an on premise DDoS solution in order to fend off this and other types of attacks.
Another kind of threat that abuses DNS is called DNS hijacking. This type of malicious attack overrides a computer's TCP/IP settings to point it to a rogue DNS server, thereby invalidating the default DNS settings. This kind of attack frequently involves home routers that are taken over by a hacker, so that your computer now is directed to a rogue DNS server that is owned and maintained by the hacker rather than going to your ISP's legitimate DNS resolver. When you type in the domain name of your desired websites, the rogue server translates those names to the IP addresses of malicious websites where you might be subjected to malware or unwanted advertising.
Home routers aren't the only devices affected by DNS hijacking. ARS Technica says that a Google DNS server was hijacked to Venezuela for about 23 minutes in March of 2014, showing that even the most savvy Internet companies can be vulnerable to attack from time to time.
The folks at Cloudmark report that there is another kind of DNS abuse that should be of concern to service providers, enterprises and basically anyone who is running any kind of sensitive network security: unauthorized DNS tunneling, usually for the purpose of exfiltrating data. Cloudmark's white paper on DNS tunneling explains how it's done:
DNS tunneling uses DNS queries and responses to send data that cannot otherwise be sent via traditional network connections. The tunnel consists of a client inside a restricted network and a server that acts as an authoritative DNS server. To send data from the client to the server, the client encodes data in the hostname portion of specifically constructed DNS requests. To send data from the server to the client, the server encodes data either in the payload of DNS response records or CNAME responses to the original request.
Depending on the tunneling software used, the client and server either create a point‐to‐point virtual network interface over which any traffic can pass or map local port numbers on the client to specific addresses and port numbers on the server.
Because DNS is completely ubiquitous, it passes through firewalls and the traffic is almost never inspected. An attacker wanting to exfiltrate data from an organization can actually encode the data inside real DNS packets so it's hard to detect. Stopping this kind of activity requires thorough packet analysis, which Cloudmark now offers in its new Cloudmark Security Platform for DNS.
DNS may be absolutely fundamental to the way the Internet works, but it was never designed with security in mind. Security-minded organizations will need to plug those holes for themselves.