DNS – Everyone uses it
Cyber threats are evolving and becoming more costly. It’s not just about stealing information anymore, it’s about disrupting service and causing downtime. Internet facing networks and services are obviously an easy target. Powerful botnets are readily available to lease and have the capacity to bring networks to a halt. A botnet-for-hire service costs around $38 per month. A minor fee compared to the negative effect gained on company services. Incapsula state that a DDoS could cost a business $40,000 per hour in loss of opportunity, property loss and customer trust. Individuals that lease botnets do not need any special skills and can execute assaults using previously packaged scripts. Nowadays, it’s easy to launch a DDoS attack; getting a lot for very little effort.
One of the most valuable network services out there is Domain Name System (DNS) – an address book of name to IP mappings. When DNS is down, users can’t resolve properly or when databases are compromised, requests get redirected to imposter locations. Administrators must ensure their master databases are properly locked down and secured. If the master database becomes compromised, SSL security and password don’t mean squat anymore. It’s game over. The attack surface for DNS-based DoS attacks is so vast with various DNS amplification, reflection and other DNS exploits available. There is countermeasure with Domain Name System Security Extensions (DNSSEC) but not widely implemented.
DNS designs usually operate in a master / secondary mode; a simple delegation design. The master database is the read – write database, protected on the LAN behind a firewall. The secondary database acts as a slave to the master and accepts client requests. It cannot be modified and for internet facing requests, it usually sits on the demilitarized zone (DMZ). Additions and modifications of records are processed on the master with only the administrator having access.
Everything is moving to the cloud; a shared resource used by multiple people. The cloud is cheaper and resources get fully utilized. It supports both long and short-lived environments, making it a popular resource for I.T environments. The cloud presents challenges in that resources may move from both intra and inter-data center locations. Within the data centre we usually keep the same IP but if it’s an inter-data centre move, IP address may change. You may use stretched VLANs or IPv6 host based routing but this creates routing protocol churn and stretched VLANs bring obvious drawbacks. To fully support private, public and hybrid cloud environments, DNS must be accurate and flexible.
DNS Root Servers
DNS is a fully distributed hierarchical database that relies on root servers. Requests start walking the root zone, down to top level domains, from there to sub domains and finally the actual host. There is no limit on how deep you go. The concept of zones exists, referring to an administrative boundary. It is up to the administrator to ensure their zones are properly secure.
Everything relies on root servers and if the DNS root servers go down nothing is resolvable. An attack in Dec 2015 effectively knocked three of the 13 root servers out for several hours. All lower down layers still operate as normal – ping, traceroute, MPLS still work, except for simple name resolution. We have 13 root servers, labelled A to M. It would be impossible to serve all clients request with just 13 servers so they are replicated with anycast IP addressing. Their purpose is to route requests to the closest name server. Close does not mean distance in kilometers. It refers to hop count or latency. Latency being more difficult to measure.
DNS Security Extensions
The reconnaissance phase of a broader attack might start by querying DNS. Anyone from any computer connected to the Internet can initiate a whois command to determine who is managing the DNS servers. Some servers return back the actual individual’s name as the contact for the queried administrative domain. This contact account is authorised to make any change. If the account gets compromised the attacker obtains complete control and may redirect the entire domain. Best practice is to label the contact as the “domain manager” and not individual names. For further investigation, one can delve deeper and enter the command line lookup for whois called nslookup. Nslookup allows you to look at different individual records. For example, set q=mx examines individual mail records.
There are tools available to secure DNS. DNS security extensions are enhancements to the original DNS name system invented 25 years ago. They add digital signatures to DNS and offer the ability to cryptographically sign DNS zone data. This allows DNS servers to validate data and make sure it hasn’t changed. DNSSEC is available but most don’t use it. It is a trust relationship relying on Public and Private keys. The entire chain must be trusted. Anyone can assess the public key but no one sees the private key. The private does the encryption while the public decrypts. It can work the other way around but then you can only decrypt with the private key. DNSSEC encrypts the actual checksum. The public key is used to decrypt the digest assigned and then you compare the two together. If they are the same everything works. The initial question with DNSSEC is how do you get all the public keys to the database. To get around this, they publish the public key in DNS as a record type.
Palo Alto and other vendors offer what is known as DNS sinkholing. Sinkholing allows you to direct suspicious DNS traffic to a sinkhole IP address. The sinkhole IP is not an actual host, it is simply a logical address. It enables the malicious domain name to resolve to an IP address you specify. F5 have a DNS Express product that puts a GTM in front of the DNS servers. F5 GTM can handle over 2 million requests per second – more than enough to handle most DDoS attacks.