Whatever the company does, security DNS should be an integral part of its security plan. Name services, which resolve network hostnames to IP addresses, are used by literally every application and service on the network.
If an attacker gains control of an organization's DNS, they can easily:
give yourself control over the resources that are in the public domain
redirect incoming emails as well as web requests and authentication attempts
create and validate SSL/TLS certificates
This guide looks at DNS security from two perspectives:
Continuous monitoring and control of the DNS
How new DNS protocols such as DNSSEC, DOH, and DoT can help protect the integrity and confidentiality of transmitted DNS requests
What is DNS security?
There are two important components to the concept of DNS security:
Ensuring the overall integrity and availability of DNS services that resolve network host names to IP addresses
Monitor DNS activity to identify potential security issues anywhere on your network
Why is DNS vulnerable to attack?
DNS technology was created in the early days of the Internet, long before anyone even thought about network security. DNS operates without authentication and encryption, blindly processing requests from any user.
In this regard, there are many ways to deceive the user and fake information about where the resolution of names to IP addresses is actually performed.
DNS Security Issues and Components
DNS security consists of several basic components, each of which must be taken into account to ensure full protection:
Strengthening the security of servers and management procedures: increase server security and create a standard commissioning template
Protocol improvement: implement DNSSEC, DoT or DoH
Analytics and reporting: add a DNS event log to your SIEM system for additional context when investigating incidents
Cyber intelligence and threat detection: subscribe to an active threat intelligence feed
Automation: create as many scripts as possible to automate processes
The above high-level components are just the tip of the DNS security iceberg. In the next section, we'll take a closer look at more specific use cases and best practices that you need to be aware of.
Attacks on DNS
DNS spoofing or cache poisoning: exploiting a system vulnerability to manipulate the DNS cache to redirect users to another location
DNS tunneling: mainly used to bypass remote connection protections
DNS interception: redirecting normal DNS traffic to another target DNS server by changing the domain registrar
NXDOMAIN attack: conducting a DDoS attack on an authoritative DNS server by sending illegitimate domain queries to get a forced response
phantom domain: causes the DNS resolver to wait for a response from non-existent domains, resulting in poor performance
attack on a random subdomain: hacked hosts and botnets DDoS a live domain but focus fire on false subdomains to force the DNS server to look up records and take control of the service
domain blocking: is sending a lot of spam responses to block DNS server resources
Botnet attack from user equipment: collection of computers, modems, routers and other devices that concentrate processing power on a particular website to overload it with traffic requests
DNS Attacks
Attacks that somehow use DNS to attack other systems (i.e. changing DNS records is not the end goal):
Attacks that return an IP address that an attacker needs from a DNS server:
DNS spoofing or cache poisoning
DNS interception
What is DNSSEC?
DNSSEC - Domain Name Service Security Modules - are used to validate DNS records without having to know the general information for each specific DNS request.
DNSSEC uses Digital Signature Keys (PKI) to verify that the results of a domain name query are from a valid source.
Implementing DNSSEC is not only an industry best practice, but also effectively avoids most DNS attacks.
How DNSSEC works
DNSSEC works similarly to TLS/HTTPS, using public/private key pairs to digitally sign DNS records. General overview of the process:
DNS records are signed with a private and private key pair
Responses to DNSSEC queries contain the requested entry, as well as the signature and public key
Then public key used to compare the authenticity of a record and a signature
DNS Security and DNSSEC
DNSSEC is a tool for checking the integrity of DNS queries. It does not affect DNS privacy. In other words, DNSSEC can give you confidence that the answer to your DNS query is not spoofed, but any attacker can see the results as they were sent to you.
DoT - DNS over TLS
Transport Layer Security (TLS) is a cryptographic protocol for protecting information transmitted over a network connection. Once a secure TLS connection is established between the client and the server, the transmitted data is encrypted and no intermediaries can see it.
TLS most commonly used as part of HTTPS (SSL) in your web browser as requests are sent to secure HTTP servers.
DNS-over-TLS (DNS over TLS, DoT) uses the TLS protocol to encrypt UDP traffic for normal DNS queries.
Encrypting these requests in plain text helps protect the users or applications making the requests from multiple attacks.
MitM, or "man in the middle": without encryption, an intermediate system between the client and an authoritative DNS server could potentially send false or dangerous information to the client in response to a request
Espionage and tracking: Without request encryption, it is easy for intermediate systems to see which sites a particular user or application is accessing. Although it will not be possible to know the specific page visited on the site from DNS alone, simply knowing the requested domains is enough to form a profile of a system or an individual.
DNS-over-HTTPS (DNS over HTTPS, DoH) is an experimental protocol promoted jointly by Mozilla and Google. Its goals are similar to the DoT protocol - enhancing the privacy of people on the Internet by encrypting DNS requests and responses.
Standard DNS queries are sent over UDP. Requests and responses can be tracked using tools such as Wireshark. DoT encrypts these requests, but they are still identified as fairly distinct UDP traffic on the network.
DoH takes a different approach and sends encrypted hostname resolution requests over HTTPS connections that look like any other web request over the network.
This distinction has very important implications for both system administrators and future name resolution.
DNS filtering is a common way to filter web traffic to protect users from phishing attacks, malware sites, or other potentially harmful Internet activity on a corporate network. The DoH protocol bypasses these filters, potentially exposing users and the network to higher risk.
In the current name resolution model, every device on the network, to some extent, receives DNS requests from the same location (from a specified DNS server). DoH, and in particular Firefox's implementation of it, shows that this may change in the future. Each application on a computer can obtain data from different DNS sources, making troubleshooting, security, and risk modeling much more difficult.
What is the difference between DNS over TLS and DNS over HTTPS?
Let's start with DNS over TLS (DoT). The focus here is that the original DNS protocol is not modified, but simply transmitted securely over a secure channel. DoH puts DNS in HTTP format before making requests.
DNS monitoring alerts
Being able to effectively monitor DNS traffic on your network for suspicious anomalies is critical to early detection of a breach. Using a tool like Varonis Edge will give you the ability to stay on top of all the important metrics and create profiles for every account on your network. You can set up alerts to be generated as a result of a combination of actions occurring over a period of time.
Monitoring DNS changes, account locations, and first-time use and access to sensitive data, and out-of-hours activity are just a few of the metrics that can be compared to build a broader picture of detection.