The Domain Name System (DNS) is a decentralized method for resolving hostnames and website names into numeric addresses that are used to locate them on the internet. DNS operates by converting a domain name (such as www.domain.com) into a numeric IP address (192.67.1.1) which enables the site the domain is hosted on to be found on the network. Created by the American computer scientist Paul Mockapetris in 1983, DNS is often referred to as the Internet’s phone book because of the function it performs and was the first standard implemented by the Internet Engineering Taskforce (IETF) in 1986.
The DNS system as it was first implemented, however, is not secure. At the time of its implementation the internet did not play the huge role it does today and DNS security was not a priority. Over the years the infrastructure of the DNS was also modified in various ways which led to it having certain vulnerabilities that were not envisaged when it was created. Some of the ways that malicious actors can use the DNS include:
• DNS Spoofing – inserting false data into a DNS cache so that the wrong (malicious) site is returned for a request.
• DNS Tunneling – this technique uses the HTTP, TCP or SSH protocols to include malware into a system through the DNS.
• DNS Hijacking – where user queries are redirected to a false domain name server that changes the target of a website to a malicious address.
• Man-in-the-Middle Attacks – where internet communications are intercepted by hackers and can be recorded or changed.
• NXDomain Attacks – where domain name servers are inundated with traffic for spurious records causing a denial of service failure.
To address these issues the DNS was reworked into a new standard by the IETF in 1997. Referred to as DNSSEC (DNS Security Extensions), this was a set of additional specifications to the DNS standard that addressed security issues. The DNSSEC standard secures data transmitted for address lookups by using digital signatures to ensure it is authentic. This was implemented at every stage of the address lookup process to ensure that it could not be intercepted.
As well as using the new features in DNSSEC, network administrators also took steps to ensure denial of service attacks were more difficult to stage by ensuring there was sufficient infrastructure for address requests and implementing anycast routing which allowed for spikes in address resolution traffic to be deal with. DNS security can also be used to provide a layer of protection between requests to a nameserver and the authoritative address that is returned.
No Comments