DNS - Do Not think it's Simple
In our recent series of articles, we talked about network security-related tools and techniques one needs to be aware of to build a cybersecurity career. Next, we will cover DNS and its related security implications!
DNS, or Domain Name System, translates domain names to IP addresses, so your browser/s can find what you searched. DNS resolvers are usually stub resolvers, which means that the full DNS records lie elsewhere.
The idea that you can convert names that humans can remember into IP addresses, (nowadays IPv4 or IPv6) from a simple website or domain name, is as old as the hills for Internet time. As easy as the idea sounds, it is quite a complicated algorithm, and the programs used, run on distributed computers all interconnected do this simple task. Getting this to work is not easy in technical terms as each domain name’s knowledge is decomposed into subdomains and the top-level name servers. There are also children pages to think about and subpages on those. This process is a typical use case for recursion that is taught in computer science courses worldwide. Suffice it to say that the outwardly simple task of converting a name into a computer logical IP address is not quite as easy as it looks.
DNS is an essential component of the early Internet, and today, it has grown to be relatively more sophisticated, though its core purpose has not changed. DNSSEC (Domain Name System Security Extensions) is the evolution that strengthens authentication in DNS using digital signatures based on public-key cryptography. In DNSSEC, there is no confidentiality or encryption involved, only data authentication and integrity mechanisms, which means that only fingerprinting or data origin authentication involves using public-private keypairs.
To perform these actions the private key of the signing entity is kept confidential, they instead perform signed responses to DNS queries, which can be validated by anyone with access to the public key. This ensures the DNS records are created by the authoritative entity and not some rogue entity sitting in between them.
Resolution and Attacks
The successful adoption of secure DNS implementation worldwide has been a challenge; it is difficult to ensure everyone follows the same cryptographic techniques needed to make the secure DNS work. Due to this, there is a bit of fuzz logic being told by DNS servers to ensure backward compatibility. Because of this fuzz connection and since many machines need to find a roundabout way of connecting (other than the intended way), we have to be more mindful of cyber threats that could become a challenge during multiple parts of the process. DNSSEC attempts to resolve a wide range of issues but focuses on the validity of where the query is coming from to create a secure connection.
Another large part to consider in this process is caching. Caching is the storage of a data layer to load things faster in subsequent searches. Most of the DNS traffic that we see on the Internet is from a cached entity. Since DNS does not change frequently, caching makes sense, however, this storage layer can become injected with malicious data, leading to malvertising or phishing attempts.
DNS attacks could lead to financial losses. By creating fake links or even replacing a section of what is cached, malicious actors can mimic a real website’s look and feel (Spoofing). For example, asking people to log into their accounts via a fake banking website allows them to steal your passwords, though this is a lot hard to do now-a-day. For larger corporate entities, DNS attack vectors manipulation can lead to botnet attacks. Most of the DNS attacks work on either the local DNS server or launch an attack by rewriting DNS responses.
The fact that DNS is the most used service on the Internet makes it very vulnerable to causing a lot of confusion. To ensure this doesn’t happen, we must check for a compromise by monitoring the purity of the data and cache. This is not easily detectable as a cache poisoning attack stays only till the cache is refreshed. The ability to protect us from malicious modification of the DNS entries does not lay only with us but for outside servers.
Next and Future
DNS in itself is not an end goal, it is a means to an end and so one must be careful in how much you trust the infrastructure. As we migrate to an IoT enabled world and also run critical infrastructure over it, it remains to be seen how things will hold up to that challenge when more traffic is consumed through automatic processes rather than by humans. Humans may alert others and an organizations when we see a phishing website, but automatic processes may not. This means that in the future malicious actors interacting with DNS maybe hard to catch.
In the next article, we will look into some open source tools and common ideas to check the websites a person browses and what is queried in the background. It could be fun, surprising, or even scary!
Did you enjoy this content? Follow our linkedin page!