Ask a Question, Get an Answer; How insecure can that be? (Part 1 of 3)

The domain name system (DNS) was invented nearly thirty years ago to serve as the Internet directory. As you browse the Internet using your computer, tablet, mobile phone, or other device, you navigate by entering names of websites, typically “www” addresses. But your device connects to the intended Internet destination by sending Internet Protocol (IP) data packets, which are addressed using IP addresses, not www addresses. DNS provides the vital linkage in looking up www addresses that people use and translating them to IP addresses that devices use.

The basic concept of DNS is very simple:  ask a question (www address) and get an answer (IP address). But the mechanics involve a number of DNS entities, many of which lie outside of your organization. And this could expose your network to security compromise. By its very nature, the global Internet DNS system serves as a distributed data repository containing www names (and others of course but let's keep it simple) and corresponding IP address information. The distributed nature of DNS applies not only to the global geographic distribution of DNS servers housing this repository, but to the distribution of administration of the information published within respective domains of this repository. Each organization desiring an Internet presence obtains a domain name, e.g. example.com, under which its IT administrators publish www-to-IP address translation information in their DNS servers.

When you enter a www address in your browser, your device will issue a DNS query to your local DNS server as configured by the administrator of the network to which you are connected. For example, your enterprise IT staff configures local DNS servers for your use when on the enterprise network, your service provider operations team configures a local DNS server for your use when on broadband, and the wifi network administrator likewise provides a local DNS server for use when on their wifi network. The job of this local DNS server is to fetch the answer to your www query on the Internet. If you desire to browse to “www.example.com” the local DNS server will first locate the DNS servers configured by the example.com DNS administrators, then query one of these servers for the IP address corresponding to “www.example.com.”

The local DNS server locates the example.com DNS servers by querying other DNS servers on the Internet corresponding to your entered domain name. For example, it will query the Internet root DNS servers, which will refer to the .com DNS servers which will in turn refer to the example.com DNS servers. Your single question for www.example.com therefore generated three queries from the local DNS server to locate the information source and to answer the question as illustrated in the figure below. The local DNS server is generally referred to as a recursive DNS server given its function of recursively querying other servers to track down an answer. Upon receiving an answer, the local DNS server will provide the answer back to your device so your browser can connect to the corresponding IP address, 192.0.2.54 in this case. The local DNS server also caches this answer so should another device on the network ask the same question, it may respond immediately without having to reissue the three Internet queries each time.



Question asked, answer received, what can go wrong? A sufficiently paranoid security analyst may point out the following basic exposure points in this process:
  • Your device could be misconfigured and attempt to contact an attacker’s local DNS server.
  • The local DNS server could be misconfigured or hacked rendering it unable to process queries, rendering name translation unavailable and thus the Internet unavailable.
  • An Internet DNS server could be misconfigured or hacked, leaving it in a state of providing incorrect answers, possibly misdirecting device connections or rendering Internet connections unavailable.
  • An imposter Internet DNS server could falsify and answer and redirect your device to an attacker website. And the local DNS server could provide this cached falsified answer to other devices that attempt to connect.

Now consider that a single web page likely contains numerous DNS names requiring lookup to load images, videos, scripts, ads, and other resources. Your browser issues a query for each unique name resulting in numerous queries of this sort for a single web page. So the exposure to what can go wrong is amplified.  

And that exposure results merely from legitimate users making legitimate queries. Imagine an attacker having successfully installed malware on a device within your network which can also use DNS to locate its command and control center for instructions, software updates, or to export retrieved corporate information.

How can you protect your devices, your DNS infrastructure and your network? Stay tuned for part 2 of this series to find out.

Comments

Post a Comment

Popular posts from this blog

Handy AAAA filter in BIND 9.8

The ISC introduced a pair of new configuration file options in BIND 9.8 to enable administrators to easily filter who may receive AAAA record type responses even if valid responses exist. For example, clients on subnets that do not have IPv6 network access can be excluded from receiving affirmative answers for AAAA queries. This feature provides simpler administration than the alternative mechanism using views. The first option, filter-aaaa-on-v4,defines whether the server will return AAAA records to certain clients. Such clients are defined by the address match list parameter of the second option, filter-aaaa. Note that BIND must be compiled with the --enable-filter-aaaa option on the configure command line to enable AAAA filtering. The syntax of these options is as follows: filter-aaaa-on-v4 (yes | no | break-dnssec) ; filter-aaaa {addr_match_list;} ; The filter-aaaa option identifies the address match list for which the filter-aaaa-on-v4 option is to be applied as described
Read more

Inglorious DDI

We all know how critical DHCP/DNS/IPAM (DDI) services are. Your network cannot function without them. But like most foundational elements of anything, they are certainly not glamorous...like good luck finding a home designer who specializes in home foundations. I would not be shocked should HGTV pass on my brilliant concept for a foundation building show. I suppose most people would find a show detailing footing depths and concrete pouring techniques rather boring.  Nevertheless, there are countless shows for redesigning and remodeling homes. On most episodes the foundation is out of sight, out of mind. If it's stable, no one wants to pay it attention, they just expect it to keep doing its job, supporting the structure. Once in a while a foundational issue is brought up that unexpectedly threatens to raise the budget to heighten the drama. All work stops until the issue is addressed. And you'll notice that the owner never denies paying the extra amount to fix the issue.
Read more

BIND 9.8.0 Adds DNS64 Support - Part 2 - How is it configured?

BIND 9.8.0 introduced a new dns64 option statement that can be configured within the server named.conf options block or within a view options block. Recall from a prior post that DNS64 configures a recursive DNS server to issue A record queries on behalf of a client requesting AAAA records, then appends the returned IPv4 address to a defined IPv6 prefix. This manufactured IPv6 address enables the querying host to connect to a NAT64 gateway which will terminate the IPv6 connection from the client and map it to an outbound IPv4 connection to the appended IPv4 address, completing the connection! Whew! BIND offers a number of useful parameters within the dns64 statement to control this process. The statement syntax is: dns64 IPv6_prefix { [clients {address_match_list };] [mapped {address_match_list };] [exclude {address_match_list };] [suffix IPv6_addr;] [recursive-only (yes|no);] [break-dnssec (yes|no);] }; The IPv6_prefix parameter is the prefix to which returned
Read more