DNS Is Still the Achilles’ Heel of the Internet

by nlqip
April 24, 2024

A DNS amplification attack floods the victim’s server with a tsunami of fake requests.

DNS Hijacking

Who owns what domain name and what DNS servers are designated to answer queries are managed by Domain Registrars⁸ . These are commercial services, such as GoDaddy, eNom, and Network Solutions Inc., where there are registered accounts storing this information. If attackers can hack those accounts, they can repoint a domain to a DNS server they control. Attacks like this have affected the New York Times ⁹ , LinkedIn, Dell, Harvard University, Coca Cola, and many others.

DNS Server Vulnerabilities

Because DNS services are software, they are likely to contain bugs. It’s possible that some of these bugs will create software vulnerabilities that attackers can exploit. That’s just the way it is with all software written by imperfect carbon-based life forms. Luckily, DNS is old (so we’ve had time to find most of the bugs) and simple (so bugs are easy to spot), but problems have cropped up. In 2015, there was a rather significant hole found in BIND, an open-source DNS server running much of the Internet ¹⁰ . Called CVE-2015-5477 ¹¹ (no cute name, thank you), BIND allowed an attacker to crash a DNS server with a single crafted query ¹² .

Another software vulnerability in DNS servers is the Recursive DNS spoof cache poisoning ¹³ technique, which means that an attacker can temporarily change DNS database entries by issuing specifically crafted queries.

Unauthorized DNS Changes

If you’ve got a server, someone must manage it. That means that you are dependent on how strongly you are authenticating the admins to that server as well as ensuring the trustworthiness and competence of those admins. In practice, this vulnerability is usually realized by accident when an admin fat-fingers a DNS change or incorrectly manages the DNS servers. Because of the nature of DNS records, changes to DNS are cached by query clients, so mistakes can sometimes take hours or days to unwind across the Internet.

DNS Data Leakage

You can’t run an unauthenticated Internet database full of important information without the occasional risk of leaking out something important. Attackers will often repeatedly query DNS servers as a prelude to an attack, looking for interesting Internet services that may not be widely known. For example, an organization may have a site called vpn.example.com which it doesn’t advertise to anyone except its employees. If an attacker discovers this site, they’ve just found a new potential target in an attack. DNS records can also aid phishing expeditions by using known server names in their phony baloney emails.

Many organizations run DNS on the inside of the network, advertising local area network (LAN) resources for workstations. Some smaller organizations run split-horizon DNS servers ¹⁴ that offer up Internet DNS services to the world as well as these LAN-based DNS services on the same box. A wrong configuration on that DNS server can lead to some devastating DNS data leakages as internal names and addresses are shared with attackers. Even giants can be tripped up by this seemingly simple vulnerability.¹⁵

DNS Man-in-the-Middle

Once again, the easily spoofed protocol UDP that DNS uses is the weak link. In this case, an attacker inline between the victim and the DNS server they’re querying can intercept and monkey with DNS queries. It’s a pretty easy attack to pull off if you’re on the same wire or wireless as the victim or DNS server. What can you do with this? Well, an F5 researcher found a way to use it to steal Microsoft Outlook credentials ¹⁶ . So, it’s an attack that shouldn’t be taken lightly.

A good defense against this to run DNS Security Extensions (DNSSEC) on the DNS server, which adds public-privacy cryptographic keys to authenticate records. Adoption is slowly growing ¹⁷ but DNSSEC can be hard to implement.

Defending DNS

Given these attacks, how do you defend such a vital service? Many organizations simply choose to outsource their DNS services, which moves the responsibility to someone who should have more resources and skills to defend it. Not all DNS vulnerabilities are reduced this way, but many are. Here’s a breakdown of the DNS attacks, some threat potentials, and recommended defenses:

Source link
lol

A DNS amplification attack floods the victim’s server with a tsunami of fake requests. DNS Hijacking Who owns what domain name and what DNS servers are designated to answer queries are managed by Domain Registrars8. These are commercial services, such as GoDaddy, eNom, and Network Solutions Inc., where there are registered accounts storing this information.…