New year resolutions or goals with sticky notes on blackboard

DNS Security Designs

DNS Security Designs

In today's digital age, where data breaches and cyber attacks are becoming increasingly common, ensuring the security of our online activities is of utmost importance. One crucial aspect of online security is the Domain Name System (DNS) – the backbone of the internet that translates domain names into IP addresses. This blog post will explore various DNS security designs organizations can implement to protect their networks and data from malicious activities

Before diving into the design aspects, it's important to understand the basics of DNS security. DNS is responsible for translating domain names into IP addresses, allowing us to access websites by typing in easy-to-remember names instead of complicated numeric addresses. However, this system can be vulnerable to attacks, such as DNS spoofing or cache poisoning, which can redirect users to malicious websites. Implementing robust DNS security designs is crucial to mitigate these risks.

Table of Contents

Highlights: DNS Security Designs

The Challenging Landscape

Cyber threats are evolving and becoming more costly. It’s not just about stealing information anymore; it’s about disrupting service and causing downtime. Internet-facing networks and services are an easy target. Powerful botnets are readily available to lease and have the capacity to bring networks to a halt. A botnet-for-hire service costs around $38 per month.

A nominal fee compared to the negative effect on company services. Incapsula states that a DDoS could cost a business $40,000 per hour in loss of opportunity, property loss, and customer trust. Individuals who lease botnets do not need special skills and can execute assaults using previously packaged scripts. Nowadays, launching a DDoS attack is easy, getting a lot for minimal effort. 

Lock Down Master Databases

They are making DNS security designs a key component. One of the most valuable network services is the Domain Name System (DNS). The DNS structure is an address book of names to I.P. mappings. When DNS is down, users can’t resolve correctly, or requests get redirected to imposter locations when databases are compromised.

Therefore, administrators must ensure their master databases are appropriately locked and secured. If the master database becomes compromised, SSL security and passwords no longer mean squat. It’s game over. The attack surface for DNS-based DoS attacks is so vast, with various DNS amplification, DNS reflection attack, and other DNS exploits available. There are DNS security solutions, such as Domain Name System Security Extensions (DNSSEC), but they are not widely implemented. 

For additional pre-information, you may find the following posts helpful:

  1. Zero Trust Network Design
  2. Data Center Failover
  3. IPv6 Attacks
  4. OpenShift SDN



DNS Security Designs

Key DNS Security Designs points:


  • Powerful botnets are available.

  • The DNS structure is not secure.

  • DNS queries are not encrypted.

  • Large DNS attack surface.

  • Issues with UDP as transpot.

Back to Basics: DNS Security

DNS plays a role in all things internet; remember, absolutely nothing happens without it; the DNS system provides a compelling attack vector to those bad actors. If you remove somebody’s authoritative nameservers, you take that somebody off the internet. So, there is a lot of collateral damage. So, the first order of business if you’re hosting the direct target of a DDoS attack is to identify who that target is.

Utilities, such as dnstop, can show the inbound queries broken down by domain, RRtype, and originating resolver, among other criteria. We also use Packet analyzers, with Wireshark being the most popular. Wireshark can help you discern patterns in the attack traffic used to create firewall rules or filters to discard malicious traffic.

Cisco Umbrella DNS

DNS Security Extensions (DNSSEC)

DNSSEC is a set of security extensions to DNS that helps verify the authenticity and integrity of DNS responses. Using digital signatures, DNSSEC ensures that the responses received from DNS servers are not tampered with during transit. It also helps prevent DNS cache poisoning attacks, where attackers redirect users to malicious websites by corrupting DNS cache data. Implementing DNSSEC provides a layer of trust and authenticity to DNS queries and responses.

2. DNS Filtering and Whitelisting

DNS filtering and whitelisting are essential to protect networks from accessing malicious websites and content. Organizations can block access to known malicious domains by filtering DNS requests, preventing users from inadvertently accessing harmful websites. Whitelisting, on the other hand, allows organizations to explicitly allow access to specific domains, reducing the risk of accidental exposure to malicious content.

3. DNS Firewall

A DNS firewall acts as a protective barrier between the internal network and the internet. It monitors and filters DNS traffic, blocking access to known malicious domains or IP addresses. DNS firewalls can also detect and block DNS tunneling attempts, where attackers use DNS requests and responses to bypass traditional security controls and exfiltrate data. Organizations can add an extra layer of defense to their network infrastructure by implementing a DNS firewall.

4. DNS Anomaly Detection

DNS anomaly detection systems analyze DNS traffic patterns to identify any abnormal behavior that may indicate a security threat. By continuously monitoring DNS queries and responses, these systems can detect patterns such as large volumes of queries from a single IP address, unusual query types, or sudden spikes in DNS traffic. DNS anomaly detection helps organizations proactively prevent security incidents by promptly detecting and alerting administrators about potential threats.

5. DNS-based Authentication of Named Entities (DANE)

DANE is a protocol that allows the association of digital certificates with domain names using DNS records. By leveraging DNS as a repository for certificate authority (CA) information, DANE provides an additional layer of security to SSL/TLS certificates. It helps prevent man-in-the-middle attacks by ensuring that the certificate presented by a server matches the one stored in DNS records. Implementing DANE can help organizations enhance the security of their encrypted communications.

Highlighting: DNS Security Designs

DNS designs usually operate in a master / secondary mode, a simple delegation design. The master database is the read-write database, protected on the LAN behind a firewall. The secondary database is a slave to the master and accepts client requests. It cannot be modified and usually sits on the demilitarized zone (DMZ) for internet-facing requests. Additions and modification records are processed on the master with only the administrator having access.

Cloud DNS

Everything is moving to the cloud, a shared resource multiple people use. The cloud is cheaper, and resources are fully utilized. It supports long- and short-lived environments, making it a popular resource for I.T. environments. However, the cloud presents challenges because resources may move from intra and inter-data center locations.

We usually keep the same I.P. within the data center, but the I.P. address may change if it’s an inter-data center move. You may use stretched VLANs or IPv6 host-based routing, but this creates routing protocol churn, and stretched VLANs bring apparent drawbacks. DNS must be accurate and flexible to fully support private, public, and hybrid cloud environments.

 

DNS Root Servers

DNS is a fully distributed hierarchical database that relies on root servers. Requests start walking the root zone down to top-level domains, subdomains, and hosts. There is no limit on how deep you go. The concept of zones exists, referring to an administrative boundary. It is up to the administrator to ensure their zones are correctly secure.

Everything relies on root servers; nothing is resolvable if the DNS root servers go down. An attack in Dec 2015 effectively knocked three of the 13 root servers out for several hours. All lower-down layers still operate as usual – ping, traceroute, and MPLS still work, except for simple name resolution.

We have 13 root servers labeled A to M. It would be impossible to serve all client’s requests with just 13 servers, so they are replicated with anycast I.P. addressing. Their purpose is to route requests to the closest name server. Close does not mean distance in kilometers. It refers to hop count or latency. Latency is more challenging to measure.

 DNS Security: The Extensions

The reconnaissance phase of a broader attack might start by querying DNS. Anyone from any computer connected to the Internet can initiate a Whois command to determine who manages the DNS servers. Some servers return the actual individual’s name as the contact for the queried administrative domain. This contact account is authorized to make any changes.

The attacker obtains complete control if the account gets compromised and may redirect the entire domain. The best practice is to label the contact as the “domain manager, ” not individual names. For further investigation, one can enter the command line lookup for whois called nslookup. Nslookup allows you to look at different individual records. For example, set q=mx examines individual mail records. 

DNS tools

There are tools available to secure DNS. DNS security extensions are enhancements to the original DNS name system invented 25 years ago. They add digital signatures to DNS and can sign DNS zone data cryptographically. This allows DNS servers to validate data and ensure it hasn’t changed. DNSSEC is available, but most don’t use it. It is a trust relationship relying on Public and Private keys. The entire chain must be trusted. Anyone can assess the public key, but no one sees the private key.

The private does the encryption while the public decrypts. It can work the other way around, but you can only decrypt it with the private key. DNSSEC encrypts the actual checksum. The public key decrypts the assigned digest and then compares the two. If they are the same, everything works. The initial question with DNSSEC is, how do you get all the public keys to the database? They publish the public key in DNS as a record type to get around this.  

DNS sinkholing

Palo Alto and other vendors offer what is known as DNS sinkholing. Sinkholing allows you to direct suspicious DNS traffic to a sinkhole IP address. The sinkhole IP is not an actual host but simply a logical address. It enables the malicious domain name to resolve to the specified IP address. For example, F5 has a DNS Express product that puts a GTM load balancer before the DNS servers. F5 GTM can handle over 2 million requests per second – more than enough to handle most DDoS attacks.

DNS Security Designs: Final Points

DNS security is critical to protecting networks and data from cyber threats. By implementing various DNS security designs such as DNSSEC, filtering and whitelisting, DNS firewalls, anomaly detection, and DANE, organizations can strengthen their overall security posture. Businesses must stay proactive and adopt these security measures to mitigate the risks associated with DNS vulnerabilities. By doing so, they can ensure a safer online environment for their users and protect valuable data from falling into the wrong hands.

Summary: DNS Security Designs

With the ever-increasing importance of online security, it is crucial to understand the significance of DNS security designs. This blog post delved into DNS security and explored various design approaches to safeguard your online presence. From encryption to DNS filtering, we will cover essential aspects to help you make informed decisions for your digital security strategy.

Section 1: Understanding DNS Security

DNS (Domain Name System) security is all about protecting the integrity, availability, and confidentiality of the DNS infrastructure. It is pivotal in securely ensuring that website visitors are directed to the correct IP address. Cyber threats like DNS spoofing and cache poisoning can lead to unauthorized access, data breaches, and other detrimental consequences without proper DNS security.

Section 2: Encryption for DNS Security

Encryption is a fundamental aspect of DNS security designs. Implementing protocols like DNS over HTTPS (DoH) or DNS over TLS (DoT) can provide additional protection against eavesdropping and tampering. Encrypting DNS traffic protects sensitive information, such as domain queries and IP addresses, from prying eyes, bolstering the overall security posture.

Section 3: DNS Filtering for Enhanced Security

DNS filtering is a practical approach to fortify DNS security designs. Organizations can block access to malicious websites, phishing attempts, and malware distribution networks by leveraging filtering techniques. Implementing robust DNS filtering policies helps promote safer browsing experiences for users and prevents potential security breaches.

Section 4: Implementing DNSSEC for Data Integrity

DNS Security Extensions (DNSSEC) is a crucial technology that ensures the integrity and authenticity of DNS responses. DNSSEC mitigates the risks of DNS cache poisoning and domain hijacking by digitally signing DNS records. Implementing DNSSEC provides a verifiable chain of trust, reducing the chances of falling victim to DNS-related attacks.

Conclusion:

In this blog post, we have explored various DNS security designs to help safeguard your online presence. Understanding the significance of DNS security and implementing measures like encryption, DNS filtering, and DNSSEC can significantly enhance your digital security posture. By staying proactive and adopting these security practices, you are taking crucial steps toward protecting your online assets and ensuring a safer digital experience.