DNS servers are vital to almost every process that takes place on the Internet. They allow us to browse the web, transact on an e-commerce site, chat via instant messaging, send out file transfers, communicate through email, etc. So when these DNS servers are compromised or somehow fail, the services that rely on them can be adversely affected.
That’s exactly what happened last October when a DNS provider serving popular websites like Twitter, Amazon, AirBnB, CNN, Comcast, Spotify, Tumblr, Wired, and many others, got hit by a massive DDoS attack. From the point of view of the end users, those sites appeared to be down. While their servers were technically available, they weren’t reachable. That’s because the DNS system users relied on to get to those sites were out of commission.
Why DNS is crucial to Internet connectivity
The main function of the Domain Name System (DNS) is pretty simple; it’s designed to associate certain information to domain names. DNS is responsible for resolving IP addresses to hostname/domain names and back.
This is necessary because the servers that host sites like xdomain.com or ftp.somedomain.edu are actually identified by client machines through IP addresses like 220.127.116.11 or 18.104.22.168 and not through the domain names xdomain.com or ftp.somedomain.edu per se. The client machines – i.e., desktops, laptops, tablets, smartphones, or other servers – need to know what those IP addresses are before they can establish a connection.
When a user types something like xdomain.com into a browser, that request will first have to go through a DNS server. The DNS server (or more specifically, a chain of DNS servers) will then take that domain name, resolve it into the IP address that matches the domain name and then provide that information to the requesting client. Only then can the client connect to the xdomain.com server.
Without the DNS system, there’s no way the user will be able to connect without knowing the corresponding IP address for xdomain’s server.
Threats to DNS
Generally speaking, threats to DNS systems can be grouped into three:
●Threats against the integrity of data in a DNS system
●Threats against the confidentiality of data in a DNS system
●Threats against the availability of a DNS system
Threats to DNS integrity
Threats to data integrity in a DNS system pertain to threats that may result in intentional or accidental modification of data in a DNS system. There are certain pieces of data used in DNS which, if tampered with, can lead to serious consequences.
For example, if the Resource Records (RR) that are stored in zone files, memory or cache, are tampered with or if the responses to legitimate queries are tainted with bogus information, users can be redirected to other (potentially malicious) sites.
The most common type of attack aimed at damaging the integrity of a DNS system is cache poisoning. The objective of this attack is to force a DNS server to cache bogus information; usually a domain name mapped to the wrong IP address. As a result, when a client submits a legitimate query to the DNS system, the system will then reply with the wrong information.
Once a cyber attacker succeeds in redirecting traffic to a malicious site (presumably also controlled by the attacker), bad things can happen. These sites are often meticulously crafted to resemble the legitimate site so that redirected users can be deceived into entering sensitive information like passwords, credit card data, and personally identifiable information (PII).
Threats to DNS availability
These are the types of threats that render DNS servers inaccessible. When that happens, DNS queries may go unanswered. As a result, clients will be unable to reach the sites they’ve been meaning to connect to. DNS outages can be caused by unintentional server failures or deliberate DoS/DDoS attacks.
Recent events have shown that this type of threat has the potential to inflict the most damage among the three. This is primarily because of the way a large portion of the Internet now operates, wherein a multitude of sites rely heavily on a few service providers. When a major DNS service provider bogs down, availability issues can easily affect a large number of sites or customers spanning a vast geographical area, just like what happened in the
Some of the common types of attacks that target DNS availability include the following:
●Distributed Reflection DoS (DrDoS)
●TCP SYN flood
●IoT botnet DDoS
An IoT botnet DDoS attack was responsible for the Dyn outage. That attack, which was the largest DDoS attack on record, was noteworthy in that it was launched from an army of compromised IoT devices. This is a serious threat because, if it could bring down an infrastructure as robust as Dyn (even just for a few hours), it could easily overwhelm the infrastructures of much smaller DNS providers.
Threats to DNS confidentiality
Threats to the confidentiality of data in DNS systems are not as glaring as the other two, but shouldn’t be taken lightly. If, for example, RRs for internal hosts are stored in external name servers and those servers are compromised, the information obtained can provide attackers insights about the internal network. This information can then be used to support and inform subsequent stages of an attack.
One of the tasks many security consultants perform in the early stages of a penetration testing engagement is DNS reconnaissance. DNS reconnaissance can reveal a lot about an organization’s DNS servers, their RRs and, in turn, the organization’s network infrastructure.
Some of the techniques employed in DNS reconnaissance include:
●DNS server cache snooping
●Domain brute force
Impact to business
The impact of a DNS attack on businesses can vary greatly depending on the threat. If it’s an attack on the confidentiality of DNS data, the impact could be minimal.
However, if that incident was actually just reconnaissance that eventually led to a deeper penetration of the network, or a data breach, the impact could be huge. If the data breach involved personal information, the business could face legal action or hefty.
If it’s the integrity of DNS data that’s compromised and client machines are redirected to malicious sites, this can impact:
1.The owners of the client machines. Once these machines are redirected to malicious sites, the owners of these machines could suffer financial losses or loss of confidential information (e.g. credit card data or PII).
2.The owners of the spoofed sites. The moment word of the fraudulent transactions gets out (and spreads through social media), the businesses who own those sites could suffer irreparable brand damage. They could also suffer financial losses as they try to remediate the problem or defend themselves against lawsuits.
If it’s the availability of DNS services that’s compromised, the biggest consequences are likely to be in terms of opportunity and trust. If you have an online business (e.g. an e-commerce, or online banking site) and your DNS provider suffers a lengthy outage (say, several hours), the loss in terms of sales could be massive.
To learn more about using DNS security to protect your data and your reputation, contact us