A Guide to DNS Filtering - Under the Covers
DNS is both an interpreter and roadmap for the Internet. Users love friendly names while their devices and favorite websites utilize IP addresses. DNS maps friendly names to IP addresses. Normally, when the browser queries a DNS server, an IP address is returned, allowing the browser to open the website at the specific IP address. This process is duplicated for cloud applications and web protocols as well.
DNS filtering is designed to combat malware, spam, child pornography and other dangerous sites on the web. In those cases, the DNS server filters the request and blocks it rather than return an IP address. It is also useful for organizations that want to protect internal assets by blocking known malicious sites. This function is normally conducted at the router level by blocking IP addresses or filtering ports. For those without the luxury of high-end routers, DNS filtering is great alternative.
How important is DNS in security?
Due to its critical function within both the Internet and the enterprise, DNS is a primary target for hackers so securing it is imperative. An effective security strategy entails not only blocking malicious queries but also servicing good queries as well. DNS plays a judicious role in a layered network security strategy in which multiple approaches to cyber defence are required. This multi-tiered approach reduces the possibility of a successful hacking attack.
Is DNS Filtering Really the Answer?
In recent years, government bodies have attempted to introduce new ways to protect victims at the source of Internet traffic. Unfortunately, these standards are legislated by people who do not fully understand the implications of their actions. The Internet already uses a myriad of web filtering options. Organizations filter at the router level while search engines use heuristic methods to detect IP addresses that host malicious content. Web filtering software and antivirus programs block websites and downloadable suspicious content using executable footprints. All of these methods have collaboratively worked well but attackers are constantly looking for ways to circumvent protection.
DNS remains a vulnerable highly targeted component for exploits and cyberattacks. For instance, DNS replies can be spoofed, or created with false information, to redirect users from legitimate sites to malicious websites. Targeting the exploits of cybercriminals however is challenging at best due to the scalability of the Internet. Attackers constantly register new domain names and move to "clean" neighbourhoods. As soon as any security method detects malicious activity and shuts it down, these criminal chameleons simply move to a new location that remains undetected for a while before the cycle repeats itself.
DNS filtering should be an important component of your network security strategy used in conjunction with port monitoring, intrusion detection systems, web filtering software, intrusion prevention systems, antivirus, and firewalls. Together, these necessary layers work cohesively to create a functional and effective security protection system.
DNS Filtering is not without its critics however who point out some of its inherit disadvantages:
It is not bulletproof. Malicious attackers are clever enough to get around it.
Users can use proxies to hide their original IP and gain access to the DNS queried IP address.
Modification of the DNS protocol could lead to unforeseen security issues and technical bugs.
For more information about DNS myths visit this recent blog post: 4 Myths about DNS Filtering and some truths
No system is of course bulletproof, and while it is true that cybercriminals are constantly changing domain names, solutions such as WebTitan DNS Filtering are highly effective in countering their cloaking efforts. WebTitan does this by categorizing an estimated 60,000-malware and spyware domains per day, tracking down dangerous sites and blocking them.
A schematic illustrating this process is shown below :
Examining DNS Structure
The Domain Name System (DNS) was designed to make it convenient for the public to use the Internet. As mentioned earlier, it translates domain names to the matching IP addresses of the hosted devices. DNS allows us to use http://www.google.com instead of http://184.108.40.206/ to initiate a search. In short, it is the Internet's primary directory service.
The DNS system that services the Internet is a distributed system anchored by a collection of root name servers that are dispersed throughout the world. Under the root servers are top-level domains, (.com, .org, .net) followed by second level domains (google, TitanHQ, Microsoft). These domains form DNS zones, which may consist of one or more domains (for example, google.com is a domain). A set of authoritative name servers are assigned to each DNS zone. An authoritative name server can be either a master or a slave server. A master contains the original read/write copies of zone records while a slave maintains only readable copies of the master records that are updated through replication.
DNS servers use TCP port 53 for zone transfers in order to keep slaves synced with the master zone file. Intruders can use this mechanism to download the contents of a name server’s zone file. To prevent this, administrators should block zone transfer requests from any device that is not an authorized slave name server. Port 53 is often used to tunnel unauthorized traffic and suspicious traffic should be scrutinized.
What is Reverse DNS?
A reverse DNS lookup or reverse DNS resolution (rDNS) is the querying of the Domain Name System (DNS) to determine the domain name associated with an IP address – the reverse of the standard "forward" DNS lookup of an IP address from a domain name.
This is often useful in determining the legitimacy of an IP. For example, one of the content tests carried out by the SpamTitan spam filter is to match forward and reverse DNS entries, ensuring that the A records, IP and PTR record match accordingly.
The Association of DHCP and DNS
For IPv4, DNS is most often tightly integrated with Dynamic Host Configuration Protocol (DHCP). A DHCP server automatically provides IP addresses to DHCP enabled clients as well as other information such as the identity of DNS name servers. The security of DNS therefore requires protecting your DHCP infrastructure. Depending on IPv6 network configuration, DHCP may or may not provide DNS information as Router Advertisement (RA) message provides this information instead.
DNS is a double-edged sword largely because of the insecure nature of the DNS infrastructure, making it vulnerable to these types of attacks:
Dynamic DNS (DDNS)
While DDNS serves a legitimate function of allowing address of a domain name to change quickly and host serves on temporary addresses, it is abused by botnet operators and phishers who change address rapidly to avoid detection
Fast Flux DNS
This is another way in which cyber criminals can rapidly alter DNS addresses in order to hide malware and phishing delivery sites behind an ever-changing network of compromised hosts acting as proxies.
This technique is referred to as a Smurf attack (named after the DDoS Smurf malware). It is a distributed denial-of-service attack involving large numbers of ICMP packets with the intended victim's spoofed source IP are broadcast to a computer network using an IP broadcast address.
DNS Amplification This popular form of DDoS relies on the use of publically accessible open DNS servers to overwhelm a victim system with DNS response traffic. It is also referred to as a "DRDoS Attack" (Distributed Reflection and Amplification Denial of Service).
What is a DDoS Attack?
A Distributed Denial of Service attack (DDoS) attack is the purposeful overload of a device to make it unavailable to legitimate traffic. A DDoS usually originates from large numbers of bots or zombie PCs that are under the control of one central machine called a botnet. The motivation behind these attacks can be to bring down a business competitor or as a form of ransomware in which the victim must pay up in order to stop the packet onslaught. One of the largest attacks on record was the Spamhaus attack that occurred in March of 2013 that involved over 30,000 DNS resolvers. Traditional security methods are configured to throttle packets from a designated IP address initiating high amounts of traffic. In the case of Spamhaus, the attackers used an enormous number of different IP addresses so throttling efforts were never triggered. You can read more about Spamhaus here.
Preventing a DNS attack
DNS can be configured to mitigate common DNS security issues. According to the Open Resolver Project, “Open resolvers pose a significant threat to the global network infrastructure”. (http://openresolverproject.org) Keep your DNS server from being an open resolver and restrict its ability to respond to DNS requests from just any address on the Internet. Only allow in-house recursive servers to the IP subnets used by your company. (This includes customer ranges as well if you are operating an extranet.) Keep in mind, however, that many (if not most) DNS resolvers across the Internet are open resolvers, either because they have not been secured, or they are meant to be open to the public such as Comodo’s service. To test your IP address for open resolvers, see http://www.thinkbroadband.com/tools/dnscheck.html
Although there is no sure-fire way to preclude a DNS attack, the following measures can minimize the odds:
DNS blocking used for security against phishing and spam can help preclude DNS attacks. This mechanism makes it difficult for entities to locate specific domains or web sites on the Internet that are malicious sites.
Configure your authoritative DNS servers to use DNS response rate limiting.
DNS traffic should be throttled depending on the type of DNS packet. For example, a zone transfer reply would have a higher threshold than a reply for the name of the DNS server.
Work with your Internet provider to block or throttle traffic you do not want on your network, if possible.
Monitor your network and make note of client IPs using unusual amounts of bandwidth.
Publicly exposed sites should be load balanced and include resource reserves for additional bandwidth and CPU cycles in order to handle increased loads caused by an attack. Google endorses this practice.
For any organization that takes network security seriously, the protection of their DNS infrastructure should be a vital part of their enterprise security plan. A little time and effort spent on DNS security can provide immediate and significant security benefits.
Thanks to TitanHQ for this post.