Monday, December 7, 2015

Security issues of DNS


We cannot remember IP addresses of all servers connected to the internet and so we use DNS or Domain Name System. We type the server name in our address bar and DNS does the rest of the job to get the IP address of the server.

But, DNS also is vulnerable to attacks. Imagine your computer made a DNS query and got a wrong response containing IP address of the attacker's machine?

Research shows, there are mainly two types of DNS attacks :

  • Protocol Attack : attacks based on how DNS works
  • Server Attack : attacks based on bugs or flaws of DNS programs or the machines running DNS services

We will look into these attacks in more detail. First, let's have a look on how DNS works actually.





How DNS Servers Work


Suppose we want IP address for some.dns.example.com. We will make a DNS query to a DNS server. Now, the DNS query can be a recursive one or an iterative one. For a recursive query, the DNS server will respond to the query with an answer. If it itself does not have the answer, it will ask other servers. For an iterative query the server immediately responds with the answer or says, it does not have the answer, in which case the query is redirected to another DNS server.

In our example, the host will first make a query to the server authoritative for .com domain. After that the query will get redirected to example.com. The server authoritative for the domain example.com should have the IP address mapping for some.dns.example.com or will redirect to the server authoritative for answering the query, in which case it is dns.example.com. And finally the query will get answered.



Protocol Attack 


Protocol Attack is mainly done by poisoning the DNS cache of the server, so that the server contains a wrong mapping to an IP address, in this case, containing a mapping to the IP address of the attacker's machine.

To give an example, a hacker can make a recursive DNS query for a non-existent query mapping. The DNS server will eventually ask the server responsible for that domain to answer that query. If that server is controlled by the attacker, the attacker will respond with any data it wants to be cached in the DNS server.

But good thing is, this attack is quite old and does not work with BIND anymore.

But, an attacker can do DNS Spoofing. In this case, the attacker intercepts the DNS query made by the host to the DNS server and replies the host with its own answer.

But, this is not so easy. Every DNS query is associated with a ID number. To respond to the host with a spoofed answer, the attacker has to hack that ID also. Normally, the attacker does it through DNS ID hacking.

A popular method is, the attacker guesses the ID and replies with spoofed answer with those guessed IDs. At the same time, it floods the DNS server with lots of queries, so that it takes some time for the DNS server to respond to the actual query of the host. By that time, the host gets a spoofed response from the attacker and when the DNS server sends the actual reply, the host rejects it.



Server Attack


Another type of attack is Server Attack. This mainly happens because of bugs in DNS software implementation, which the attacker exploits.

Denial of Service or DoS attack is also a type of Server Attack. Just to give an example, in DNS Amplification Attack, which is a type of DoS attack, the attacker sends lots of DNS query to a DNS server, but forges the IP address of the victim machine as source IP. As a result, the DNS server ends up sending all the responses to the victim machine, flooding it with responses and consuming its bandwidth.



Countermeasures

We can take a couple of steps to counter these attacks :

  • DNS server can forbid recursive DNS queries.
  • DNS software must be updated regularly. New patches should be applied as soon as they release and BIND should be updated regularly.
  • We can use Split DNS Architecture. In this case, one external DNS is responsible for name-to-ip mapping of all external hosts of the domain for which the DNS is responsible for. Another DNS is responsible for answering queries of internal or trusted hosts. In this way, even if the external DNS is affected, it won't affect the service provided to the internal hosts.


This was an informative article on security issues of DNS. Hope you enjoyed it.





No comments:

Post a Comment