Improve Your Cybersecurity

DNS Security 101

DNS is one of our oldest protocols on the internet, and as such, has a number of vulnerabilities that security researchers are working on mitigating. In this post, we will explore what DNS is, and how we can secure it.

The internet was invented largely by hippies, and during its conception and early years, functionality was paramount and security was secondary.

In modern times, security practitioners are having to revisit the internet’s original structure and build new mechanisms on top of old protocols to keep the web as secure as possible.

DNS is one such protocol. That’s why I have invested my Sunday afternoon writing this piece to explain what DNS is, it’s history, how it is exploited, and how it can be secured. 

We will start off by exploring what DNS is, it’s history (feel free to skip that bit) and then moving on to explore how it can be exploited, and ultimately secured.

What is DNS?

DNS, or the Domain Name System, is one of the oldest protocols in the internet’s history. Put simply, every website will have an IP Address from the server that it resides on (such as 192.168.0.0). A domain name is what you enter when visiting a website, such as google.com or aitkensecurity.com.

DNS Resolution is the process of matching your domain name to a specific server’s IP Address. For instance, google.com may reside at 8.8.8.8. 

Without DNS, visitors would need to remember the exact IP addresses of each website they wanted to visit, instead of the website’s domain. 

Does that make sense? I hope so. You can drop me a message on my Instagram if not and I will happily elaborate further. 

The history of DNS (feel free to skip this bit)

Now that I have established what DNS is, it may be worthwhile if we briefly explored the history of this protocol and how it has evolved into its contemporary form. This is not essential reading, however – feel free to skip to the next sections on DNS Security. You can skip ahead to the DNS Security section by clicking here. 

The origins can be traced back to the nascent days of the ARPANET, the precursor to the modern internet, where the need arose for a decentralised and scalable method of mapping domain names to IP addresses. Let’s embark on a journey through the fascinating history of DNS, tracing its evolution from humble beginnings to its pivotal role in shaping today’s interconnected world.

Early Roots: ARPANET and HOSTS.TXT

In the late 1960s and early 1970s, as researchers began connecting computers on the ARPANET, the need arose for a system to manage hostnames and IP addresses. Initially, a simple text file called HOSTS.TXT was manually maintained, containing mappings of hostnames to IP addresses. However, as the ARPANET grew, this centralized approach became untenable, leading to the development of a distributed system for hostname resolution.

The Birth of DNS: RFC 882 and RFC 883

In 1983, the DNS as we know it today was born with the publication of Request for Comments (RFC) 882 and RFC 883 by Paul Mockapetris. These seminal documents outlined the specifications for a hierarchical naming system and a distributed database for mapping domain names to IP addresses. DNS introduced the concept of domain names organised into a hierarchical tree structure, with each level represented by a domain name server responsible for resolving queries within its domain.

Expansion and Standardisation: RFC 1034 and RFC 1035

Throughout the 1980s and early 1990s, DNS continued to evolve and expand in scope. In 1987, RFC 1034 and RFC 1035, collectively known as the “Domain Names – Concepts and Facilities” and “Domain Names – Implementation and Specification” documents, respectively, were published, refining the DNS architecture and establishing the protocols and standards still in use today. These RFCs introduced concepts such as resource records, DNS message format, and the DNS query process, laying the foundation for the modern DNS ecosystem.

Commercialisation and Global Adoption

As the internet expanded beyond academic and research communities into the commercial realm in the 1990s, DNS became a critical component of the burgeoning World Wide Web. The introduction of commercial domain registrars and the adoption of domain names for branding and marketing purposes further fueled the growth of DNS. Today, DNS is a ubiquitous and essential component of the internet infrastructure, supporting the seamless navigation of billions of websites and services worldwide.

Modern Challenges and Innovations

In the face of evolving cyber threats and the increasing complexity of internet services, DNS continues to evolve to meet the demands of the digital age. Innovations such as DNSSEC (Domain Name System Security Extensions), Anycast routing, and DNS over HTTPS (DoH) aim to enhance security, resilience, and privacy in the DNS ecosystem. Additionally, efforts to improve DNS performance and scalability, such as the deployment of DNS root server anycast networks, underscore the ongoing commitment to ensuring the reliability and efficiency of DNS services.

DNS Security Overview

Now that we have discussed what DNS is, and what the history of DNS is, its time to look at how DNS can be secured.

DNS traditionally uses TCP and UDP Port 53, and has always been an inherently insecure protocol. It is vulnerable to Domain Hijacking, URL Redirections, DNS Cache Poisoning, among a number of other nasty security weaknesses that can cause all sorts of problems for businesses and private individuals alike.

I will start by explaining some of the key DNS vulnerabilities, before moving on to the mitigations that security practitioners can use to secure their DNS Systems.

What is Domain Hijacking?

Domain hijacking is when an attacker takes full control over an organisation’s domain name without their permission or knowledge. Let’s imagine, for example, that aitkensecurity.com is victim to a Domain Hijacking attack. 

I could forget to renew my domain’s annual fee from my hosting provider, and this could result in someone else taking control over my domain. This poses a number of security threats: someone could steal my website’s traffic and redirect it to their own website, they could impersonate me, or even worse, they could register email addresses under my domain and takeover all of my email accounts.

Sounds nasty? Well, it is indeed.

An attacker could also gain access to the account that contains your domain and it’s DNS records and initiate a transfer without my consent or updating the domain’s contact records.

What are DNS URL Redirections?

DNS URL redirections, also known as DNS redirection or DNS forwarding, involves an attacker redirecting traffic heading towards my domain to a server or resource under their control. 

Unlike traditional redirects via the HTTP protocol, DNS URL redirects occur at the higher DNS level, which redirects traffic before it even reaches the web server.

Similar to Domain Hijacking, this type of attack is often done through a takeover of the account hosting the domain name.

What is DNS Cache Poisoning?

A third type of attack against the DNS system is cache poisoning. To understand this attack, we must first explore what a cache is in the first place. I will draw an analogy with browser caching as an example.

When you visit a website multiple times, your browser can take a locally stored cache on your computer. This means that the website can be served up faster than it would be if your computer had to query the server every time you wanted to access a resource. Without caching, it would take much longer to access the resources you are looking for on the web.

Now that we’ve explored the concept of caching in the context of web browsers, let’s shift our focus to caching within the Domain Name System (DNS). Much like how your browser stores frequently accessed website data locally to speed up future visits, DNS resolvers also maintain caches of recently resolved domain names and their corresponding IP addresses.

When you type a website address into your browser, your device sends a DNS query to a DNS resolver, which then searches its cache for the corresponding IP address. If the resolver finds a match in its cache, it can quickly return the IP address without having to query authoritative DNS servers, resulting in faster website access.

A DNS Cache Poisoning takes place when an attacker redirects traffic to a source under their control.

An attacker sends false information to the DNS resolver—a sort of “map” for the internet. This false information tells the resolver that a website’s address is something other than what it actually is. As a result, when you try to visit the website, your device gets directed to the wrong place—the attacker’s website instead of the legitimate one.

What is a DNS Amplification attack?

In a DNS amplification attack, the attacker sends a large number of DNS queries with spoofed source IP addresses to open DNS resolvers. The resolvers then respond to these queries with much larger responses, amplifying the volume of traffic directed at the victim’s target server, often leading to a Distributed Denial of Service (DDoS) attack.

Imagine you’re at a concert, and you want to make your voice heard above the crowd. You could shout louder, but that might strain your vocal cords. Instead, you decide to use a megaphone. By speaking into the megaphone, your voice is amplified, reaching a larger audience without exerting as much effort.

In a similar way, DNS amplification involves using the inherent properties of the DNS protocol to amplify the volume of internet traffic directed at a target. Instead of sending individual requests directly to the target server, the attacker sends a small number of carefully crafted DNS queries to open DNS resolvers. These resolvers then respond with much larger DNS responses, effectively amplifying the volume of traffic directed at the target. It’s like using a megaphone to amplify a message, but in this case, the message is internet traffic, and the megaphone is the DNS infrastructure.

What is a DNS Tunneling attack?

DNS tunneling is a technique used to bypass network security measures by encoding data within DNS queries and responses. Attackers can use DNS tunneling to exfiltrate sensitive data from a compromised network or to establish covert communication channels with command and control servers.

Imagine you’re sending secret messages to a friend using invisible ink. To outsiders, it looks like you’re just writing normal letters. However, your friend knows to look for the invisible ink and can decode the hidden messages. In this scenario, the letters are like DNS queries and responses, while the invisible ink represents encoded data hidden within them.

DNS tunneling works similarly to hiding messages in invisible ink. Instead of using DNS for its intended purpose of resolving domain names to IP addresses, attackers encode data within DNS queries and responses. These encoded messages can then be transmitted across the network undetected, bypassing traditional security measures. It’s like hiding sensitive information within seemingly innocent DNS traffic, creating a covert communication channel that evades detection by network security systems.

Enter DNSSEC: The process of securing DNS

By now, we have explored what DNS is and the range of attacks that can be used against the Domain Name System. 

DNSSEC has been in existence for some time and uses the same port numbers as I explained before. The difference is that all DNS Zones have certificates. It uses cryptographic signatures to verify the authenticity and integrity of DNS Data.

In DNSSEC, each DNS zone (e.g., aitkensecurity.com) is equipped with cryptographic keys and certificates. These keys are used to ‘sign‘ the DNS records within the zone, creating digital signatures that can be validated by DNS resolvers. When a DNS resolver receives a DNS response from a DNSSEC-enabled domain, it can verify the digital signature using the corresponding public key obtained from the domain’s DNSKEY (DNS Key) record.

By validating DNSSEC signatures, DNS resolvers can ensure that the DNS data they receive has not been tampered with or spoofed en route. This helps to prevent DNS cache poisoning attacks and ensures that users are directed to legitimate websites, reducing the risk of falling victim to DNS-related threats.

DNS Firewalls, another method of securing DNS

DNSSEC is not the only method of securing the Domain Name System. Firewalls are also an option.

The DNS firewall acts as a buffer, positioned snugly between a user’s recursive resolver and the authoritative nameserver of the website or service they’re aiming to access. It’s like the vigilant guard at the gate, ready to thwart any malicious attempts to overload the server.

Should the server face downtime due to an attack or other reasons, the DNS firewall steps in heroically, ensuring that the operator’s site or service remains operational by swiftly serving up DNS responses from its cache.

But that’s not all! Apart from its security prowess, the DNS firewall also boasts performance-enhancing capabilities. It can turbocharge DNS lookups, delivering lightning-fast results, and even trim down bandwidth costs for the DNS operator. It’s like having a trusty ally that not only defends your digital fortress but also optimises its performance for smoother operations.

Basic housekeeping for DNS security

This next tactic is super simple, yet often overlooked: secure the account that hosts your domain name. If you are a small business, you will often have your domain name kept within an account of a registrar, such as GoDaddy. It is imperative that this account is kept secure. Ensure that your domain is configured to autorenew, and that you have a valid debit card associated with your account.

DNS Privacy: Is DNS Private?

Another pressing concern in DNS security revolves around user privacy. Unlike other online activities, DNS queries are transmitted without encryption, meaning they travel over the internet in plain text. Even if users opt for a DNS resolver like 1.1.1.1, known for its privacy-centric approach, their DNS queries remain vulnerable to interception.

This lack of encryption not only poses security risks but also raises significant privacy concerns. Intercepting DNS queries allows malicious actors and even governments to monitor users’ online activities, potentially leading to censorship and privacy violations.

To address this issue, two encryption standards have emerged: DNS over TLS and DNS over HTTPS. These protocols encrypt DNS queries, shielding them from prying eyes and safeguarding users’ privacy. By encrypting DNS traffic, these standards bolster online security and protect users’ fundamental rights to privacy and freedom of expression.

Some VPN Providers, such as NordVPN, will provide anonymised DNS servers. You can learn more about how VPN services work by clicking on this article that I wrote here.

Wrapping it all up!

Throughout this article, it should be evident to you that fundamental principles, protocols, and technologies that form the bedrock of the internet are inherently insecure. In the preceding years, security practitioners have essentially patched over some of the vulnerabilities present within our systems. 

Whilst DNS is a service that every single internet user uses every day, it is still an insecure system. However, through the techniques I have listed towards the conclusion of this article, webmasters and private individuals can take proactive steps towards securing their DNS systems.

Hey! Can we make it official? 😘

I would love to share my latest ethical hacking, defensive security, OSINT, and anonymity guides with you. But I’ll need you to trust me with something… your email address. I promise not to spam you, and you can count on me to keep your data safe 😇

Improve your cybersecurity

DNS Security 101

The 14 types of malware 💣

WiFi Security 101: A Quick Guide to Safeguarding Your Network 👀

Why it’s a good idea to have multiple email addresses 👍

The simple trick to protect you from 86% of Windows threats 😮

This is how you should THINK about your cybersecurity 💭

Fifteen Steps to maximising firefox privacy 🔒✅

Download the complete FireFox checklist that I give to my counter-surveillance clients – completely free of charge! I will take you step-by-step through advanced Firefox Configurations that will help you maximise your privacy, security and anonymity. 

Enter your details below and I will email it to you straight away. And don’t worry, your data is safe with me 😇

Access free subscriber only content 😘

I would love to share my latest ethical hacking, defensive security, OSINT, and anonymity guides with you. But I’ll need you to trust me with something… your email address. Your data will be encrypted and I will never sell it to third parties 😇

UK Cybersecurity Company

About Aitken Security

Aitken Security is a UK Cybersecurity Company specialising in offensive and defensive security.