DNS and Email Security

Posted by Eric Parker
Eric Parker

Introduction

DNS is a widely used phonebook system on the Internet. It is used simply to query the IP address associated with a humanly readable and memorizable name. But it is a lot more than that as this article explains. If you have not yet read our previous article do so here: DNS and its Security Implications. In this blog we will talk about DNS from an Email Security perspective.

DNS For Email Security

Photo by Onlineprinters on Unsplash


Examining email domain

An email is something we are all familiar with, with the most notable part being the @ character. The part after the @ is the domain name and we IT/Security professionals can easily examine that domain:


$ dig -t mx gmail.com
;; QUESTION SECTION:
;gmail.com. IN MX

;; ANSWER SECTION:
gmail.com. 3454 IN MX 20 alt2.gmail-smtp-in.l.google.com.
gmail.com. 3454 IN MX 5 gmail-smtp-in.l.google.com.
gmail.com. 3454 IN MX 40 alt4.gmail-smtp-in.l.google.com.
gmail.com. 3454 IN MX 10 alt1.gmail-smtp-in.l.google.com.
gmail.com. 3454 IN MX 30 alt3.gmail-smtp-in.l.google.com.

;; Query time: 35 msec
;; SERVER: 127.0.0.53#53(127.0.0.53)
;; WHEN: Mon Sep 14 17:33:47 IST 2020
;; MSG SIZE rcvd: 161

Here we can see that the answer section contains the domain names of the mail servers or MTA hosts that can be used for sending emails to a Gmail mail address.

The numbers 20, 5, 40, etc you see against the answers are what are called weights or priority. The lower the number, the higher the priority. Most common mail servers don’t contain as many answer lines as you see above.

These are called MX records as they contain mail exchanger information. The good news is most emails today are sent along encrypted channels although the emails themselves are not encrypted or protected.

What this means is that the email body is not something that the email server cannot understand. But those that use GnuPG and S/MIME have undecipherable emails end to end. Now just making the emails travel across a secret tunnel is not the end of email-related attacks.

But we started off talking about DNS, didn’t we? This article however focuses purely on the email-related aspects of using DNS-based security systems. What are they?

 

DNS and email security

First of all, email, as you can see from above, uses DNS at two levels. One is for the email address itself. Then at the next level, for the MX record. Moreover, there are some more places where DNS comes into play. The IP address block of a mail server is often made public in what are known as SPF records, i.e. Sender Policy Framework, otherwise known as DNS txt records.

This is one method to ensure emails are not fraudulently sent to unauthorized mail receivers. But that is not quite enough. Over time we found many more problems and SPF alone was unable to fix them all.

DKIM and DMARC come to mind. Domain Keys Identified Mail is DKIM. DMARC is Domain Message authentication reporting. These two have a domain in them, so obviously they are DNS measures. Although the Internet works at a human level in domain names, internally it is worthless, only IP addresses are used to send packets. And all traffic like voice, emails, videos travel as IP packets between IP addresses.

So how does DNS help?

It does this way: All emails travel between two MTA machines or email servers and each mail server has a different domain name. The domain name of an email address is different as we saw at the beginning.

Using cryptographic primitives like secret keys and public/private keys, we sign emails and DNS records to make sure others can verify us as the originator of the signature. This also protects against the tampering of data, and protects against fake originated emails.

There is also DNSSEC and DANE - DNS Authenticated Named Entities. At least the popular email systems in the world support most of the measures I mentioned above. Spam filtering and phishing protection are additional measures employed by email security folks.

The DNS system as a whole works by using what is known as authoritative and secondary name resolvers and there are some 13 or so root name resolvers which are huge complex busy systems. There are registrars that allot DNS names and there are many records associated with each domain name. There are aliases and subdomains for each domain.

In a trusted environment both email and DNS are secure. But in today’s Internet, where billions and trillions of dollars are exchanged now,  the security of email and DNS are both relevant and crucial, and as we saw in this article, they both play with each other to a great extent.

 

Further

In a future blog, we shall explore the specifics of the above measures to understand more about how Internet security works with popularly used commonplace software we often take for granted. We shall cover more such as time goes on.



 

Did you enjoy this content? Follow our linkedin page!

 

Looking for similar content?

Eric Parker

Written by Eric Parker

Eric is an energetic principal engineer capable of meaningful customer-focused both technical and non-technical interactions. He is heavily focus on enterprise security with extensive experience in network user behavior analysis (UBA), log security monitoring, security architecture, orchestration, analysis, policy and implementation. Regularly meeting customer and corporate business needs. Always interested in finding new ways to integrate different ML &AI tools into meaningful, actionable events. The bleeding edge of the security landscape as it relates to monitoring, bots, fraud detection, account takeover, unauthorized user activity, and business logic abuse.