Domain Name System (DNS)

Domain Name System (DNS) is a hierarchical naming system build on distributed database. What is does that it translates human readable domain (eirajamin.com) into corresponding or mapped IP address of the server. Today, the standards for DNS are maintained by Internet Engineering Task Force (IETF) in RCP 1035.

 

Attack statistics and impact on business

78% attacks made on the most common service targeted by application layer is now DNS.

84% of reflection/amplification attacks use DNS

$500 per minute cost of internet downtime due to DDoS Attack

$1.5M Average total cost per year to deal with DDos Attack

Sources:

1.Arbor WISR2016 report

2. PonemonInstitute Study –The cost of denial-of-services attacks, March 2015

Bank’s consumer and commercial products (Internet Banking, Corporate Web Services) are at risk as these rely on bank’s domain names (subdomains likes ib.habibmetro.com) if down lead to business disruption.

Our internal sub domains are also at risk if compromised via internal attacks.

 

How DNS Servers Work

 

The DNS directory is distributed worldwide, stored in special servers called dns servers (i.e., “domain name servers”) that are interconnected and communicate regularly to synchronize directory information and create redundancy.

DNS servers and IP addresses

A DNS server stores specific information that pairs a domain name with particular IP addresses. A domain may have one or hundreds of IP addresses associated with it. Amazon.com, for example, has thousands of servers across the globe, and the physical server that a user connects within one country is likely completely different from another user elsewhere around the world. The global nature of Internet services requires a network of distributed and scalable DNS servers to ensure that users can quickly look up and resolve the requested server’s location, wherever they are around the globe.

The DNS Lookup Process

The purpose of DNS is to translate a domain name into the appropriate IP address. This is done by looking up the dns records of the requested domain. There are typically eight steps in this DNS lookup process that follow the information path from the originating web browser to the DNS server and back again. In practice, DNS information is often cached to reduce the DNS lookup response time. When the DNS information is not cached, the eight-step lookup process is as follows:

• A user enters a domain name (e.g., facebook.com) into their browser, and the browser sends the query via their internet service provider isp to a DNS recursive resolver.
• The DNS recursive resolver, in turn, sends a query to the root DNS nameserver (.).
• The root server returns to the resolver the address of the top-level domain (i.e., “TLD”) DNS root server, which has the needed information for the facebook.com domain. (Examples of a top- level domain tld include “.com”, “.net”, and “.org,” which each TLD having it’s own root DNS server.)
• In turn, the resolver then sends the information request to the Top-Level Domain server (In this case, the “.com” TLD nameserver).
• The TLD name server responds to the resolver with the targeted IP address of the domain’s nameserver. (In this case, the DNS server for “facebook.com”.)
• Next, the DNS recursive resolver sends the query to the domain’s DNS server.
• The domain’s DNS server then returns the IP address to the DNS resolver for the requested domain (e.g., “facebook.com”.
• Finally, the DNS resolver returns the IP address of the requested domain to the requesting web browser. The browser sends the HTTPS request to the targeted IP address, and the server with that address returns the webpage, which renders in the user’s browser.

 

Types of DNS Services

There are two primary types of services that DNS servers provide: Authoritative DNS and Recursive DNS. Both are integral to the DNS infrastructure, but each serves a different purpose during a DNS query. The recursive DNS server at the beginning and the authoritative DNS server at the end of the DNS query.

Recursive DNS Server: the recursive DNS server responds to a request from the client and returns the IP address for the requested domain name. The recursive resolver server makes a series of requests until it reaches the authoritative DNS nameserver for the requested domain.

Root nameserver - The root server is the first step in translating (resolving) human readable host names into IP addresses.

TLD nameserver - This nameserver is the next step in the search for a specific IP address, and it hosts the last portion of a hostname (In example.com, the TLD server is “com”).

Authoritative DNS Server: The authoritative DNS server is the server that actually holds and maintains the record for the requested domain. The authoritative DNS server also has an updated mechanism, allowing administrators to manage their public DNS names. The authoritative DNS server is the final source of truth for a domain’s DNS information and is responsible for providing the domain’s IP address information back to the requesting recursive DNS server.

DNS caching and where does DNS caching occur

The purpose of caching is to temporarily store data in a location that results in improvements in performance and reliability for data requests. DNS caching involves storing data closer to the requesting client so that the DNS query can be resolved earlier and additional queries further down the DNS lookup chain can be avoided, thereby improving load times and reducing bandwidth/CPU consumption. DNS data can be cached in a variety of locations, each of which will store DNS records for a set amount of time determined by a time-to-live (TTL).

 

 

Top Major Risks in DNS, controls and how to test the control effectiveness

DNS Spoofing (Cache Poisoning)

Attackers inject false DNS responses into the cache of a resolver, causing users to be redirected to malicious sites.

Risk: Users might unknowingly visit fraudulent websites, potentially leading to phishing attacks, malware infections, and data theft.

Controls and Test Step

1. DNSSEC (Domain Name System Security Extensions) Enable DNSSEC on your DNS servers and ensure your domain registrar supports DNSSEC. DNSSEC adds digital signatures to DNS data, which helps verify the authenticity and integrity of the responses. This prevents attackers from injecting false DNS data into the resolver’s cache.

 

Testing Method: Use DNS query tools like dig or nslookup to query DNS records and check for the presence of DNSSEC signatures. Verify the DNSSEC validation by ensuring the "ad" (authenticated data) flag is set in the response. Command “dig +dnssec example.com”

 

Infoblox: Ensure that DNSSEC and DNSSEC validation is enabled and functioning correctly in the Infoblox interface. Infoblox DNS Firewall provides DNSSEC validation and can be monitored for this purpose.

Data Management>DNS>Grid Properties> Advanced>DNSSEC

 

 

2. Secure DNS Resolvers: Use resolvers that validate DNSSEC signatures and are configured to reject suspicious responses. This ensures the integrity of DNS responses, mitigating the risk of cache poisoning.

Testing Method: Configure your system to use the Infoblox resolver and perform DNS queries to check if it correctly validates DNSSEC signatures and rejects invalid responses. Command “dig @your-infoblox-resolver example.com”

Infoblox: Review logs and reports in the Infoblox interface to confirm that invalid responses are being rejected.

3. Regular Software Updates and Patching: Keep DNS server software up-to-date with the latest security patches. This protects against known vulnerabilities that could be exploited for cache poisoning.

Testing Method: Review update and patch management logs to ensure that DNS software is up-to-date. Perform vulnerability scans to verify the absence of known vulnerabilities. Command “nmap -sV --script vulners --script-args mincvss=5.0 your-dns-server”

Infoblox: Check the Infoblox management console for the current version and update history. Ensure that automatic updates are enabled if applicable.

 

DNS Amplification Attacks

Attackers use DNS servers to amplify the volume of traffic directed at a target, resulting in a Distributed Denial of Service (DDoS) attack.

Risk: Overwhelms the target’s infrastructure, causing service disruptions and potential financial losses.

Controls and Test Step

1. Rate Limiting: configure rate limiting on DNS servers to control the number of requests accepted from a single source. This reduces the impact of amplification attacks by limiting the attacker's ability to exploit the DNS server.

Testing Method: Simulate a high volume of DNS queries from a single source and verify that the rate limiting mechanism effectively limits the number of responses. Command “for i in {1..1000}; do dig @your-infoblox-resolver example.com; done”

Infoblox: Configure rate limiting in Infoblox and review traffic logs to ensure that rate limiting policies are enforced.

2. DNS Response Rate Limiting (RRL): Implement RRL to restrict the number of identical responses sent by the DNS server. This mitigates the risk of DNS amplification by preventing servers from being used as a tool in DDoS attacks.

Testing Method: Perform repeated identical DNS queries and check if the server limits the number of identical responses. Command “for i in {1..1000}; do dig @your-infoblox-resolver example.com; done”

Infoblox: Verify RRL settings in the Infoblox interface and review logs to confirm that RRL is operational.

 

DNS Tunneling

Uses DNS queries and responses to bypass firewalls and exfiltrate data or establish a covert channel for communication.

Risk: Data theft, command and control communication for malware, and violation of network policies.

Controls and Test Step

1. Deep Packet Inspection (DPI): Deploy DPI tools to inspect DNS traffic for patterns that indicate tunneling activity. This identifies and blocks malicious DNS tunneling attempts.

Testing Method: Use DPI tools to inspect DNS traffic for signs of tunneling. Simulate DNS tunneling traffic to ensure detection mechanisms are effective. Command “dnscat2”

Infoblox: Enable and configure DPI settings in Infoblox. Review detection logs to ensure tunneling attempts are identified.

2. DNS Query Filtering: Implement filters to block suspicious or unauthorized DNS queries and responses. This prevents the use of DNS for covert data exfiltration and command and control communication.

Testing Method: Implement filtering rules and test by attempting to make unauthorized DNS queries. Verify that these queries are blocked. Command “dig @your-infoblox-resolver unauthorized.example.com”

Infoblox: Configure filtering policies in Infoblox and test by simulating unauthorized queries. Check logs to confirm that these queries are blocked.

3. Access Control: Restrict DNS queries to trusted internal and external DNS servers. This limits the ability of attackers to use DNS tunneling within the network.

Testing Method: Review access control policies and attempt to perform DNS queries from unauthorized devices or networks. Try performing DNS queries from unauthorized devices “dig @your-infoblox-resolver example.com”

Infoblox: Set access control lists (ACLs) in Infoblox and verify that only authorized devices can perform DNS queries.

 

DNS Hijacking

Redirects DNS queries to malicious servers by altering the DNS settings, often through compromising routers or other infrastructure.

Risk: Redirects users to malicious websites, potentially leading to phishing, malware, and data breaches.

Controls and Test Step

1. Multi-Factor Authentication (MFA): Require MFA for accessing and changing DNS settings in the management console. This enhances security by making unauthorized changes more difficult.

Testing Method: Attempt to access and modify DNS settings without MFA to ensure it is enforced. Ensure MFA is required for all administrative access.

Infoblox: Verify that MFA is enabled for the Infoblox management interface and test by attempting access without the second factor.

2. Regular Security Audits: conduct regular audits of DNS settings and configurations to detect unauthorized changes. This identifies and rectifies potential vulnerabilities that could lead to DNS hijacking.

Testing Method: Conduct regular audits of DNS settings and logs to detect any unauthorized changes. Use change management tools to verify all modifications.

Infoblox: Utilize Infoblox’s audit logs and reporting features to review DNS changes and confirm that all changes are authorized and documented.

3. DNS over HTTPS (DoH) or DNS over TLS (DoT): Encrypt DNS traffic using DoH or DoT to prevent interception and tampering. This protects against man-in-the-middle attacks that could lead to DNS hijacking.

Testing Method: Use network analysis tools to ensure DNS queries are encrypted and not transmitted in plaintext. Perform DNS queries over DoH/DoT and verify encryption. Command “kdig @your-infoblox-resolver +tls example.com”

Infoblox: Ensure DoH/DoT is configured in Infoblox. Use traffic inspection tools to confirm that DNS queries are encrypted.

 

Typosquatting

Attackers register domain names similar to legitimate ones, exploiting typographical errors made by users.

Risk: Users might visit malicious sites, leading to phishing, malware infections, and data theft.

Controls and Test Step

1. Domain Monitoring:; Monitor for the registration of domains that are similar to your own. This allows early detection and mitigation of typosquatting domains.

Testing Method: Use domain monitoring tools to track and alert on the registration of similar domain names.

Infoblox: Configure Infoblox’s threat intelligence and domain monitoring features to detect typosquatting domains and review alerts.

2. Trademark Protection: Register common misspellings and variations of your domain name. This reduces the risk of typosquatting by preemptively securing similar domain names.

Testing Method: Check for the registration of common misspellings and variations of your domain names. Use WHOIS and domain lookup tools.

Infoblox: Ensure that all relevant domain names are registered and protected. Use Infoblox reporting to monitor domain registrations.

3. User Education: Educate users about the risks of typosquatting and encourage the use of bookmarks or directly typing URLs. This decreases the likelihood of users falling victim to typosquatting attacks.

Testing Method: Conduct phishing simulation exercises to test user awareness. Provide training and measure improvement in recognizing typosquatting attacks.

Infoblox: Use Infoblox’s security awareness features to educate users and track their responses to simulated attacks.