DNS Spoofing : How to Protect Your Organization From It?

DNS Spoofing : How to Protect Your Organization From It?
When you are accessing a website, your computer uses a DNS server to look up the domain name you are trying to access. The proper term for this process is DNS name resolution where DNS server resolves the domain name to the IP address.
 
For example: when you enter "http://www.google.com in your browser, part of the network connection includes resolving the domain name "google.com” into an IP address like 74.125.236.32" web servers. Here the DNS threat is, anyone can spoof DNS in a network. If will put Google’s IP in front of facebook.com (domain name), when someone tries to open facebook.com he will be redirected to google.com.
 

Way to Exploit

In order to achieve DNS Amplification attack, the attacker performs two malicious task,
 
  1. The attacker spoofs the IP address of DNS Resolver (converts domain name to IP address) and replaces it with the victims IP address. This is because all reply of the DNS server will respond back to victims server.
  2. The attacker finds Internet domain registered with many DNS records. Ex domain.example.com, domain1.example.com etc. Then the attacker DNS query to get all records of example.com.
Now the attacker is ready to launch the attack. In order to get all records for example.com with spoofed source IP (victims IP), the attacker sends multiple DNS queries from different computers with different DNS server.
The request that comes from the DNS resolver to resolve the domain name to IP address but as the resolvers IP changed with the victims IP, all the response from the DNS server will go to the source server (victims).
 
Now the attacker got the amplification attack because for the request a large no of response will send to the victim (sometimes 100 times larger). If the server generates 3 Mbps DNS query it amplifies to 300 Mbps in victim side which creates traffic which is the resource consuming task in victim’s side. So, the victim’s side will be so busy to handle the attack which leads to Denial of Service attack.
 

Counter Measures

1. Keep the DNS resolver private and protected. If you operate your own resolver, its usage should be deprived to users on your network to help hinder its cache being poisoned by hackers outside your organization. It should not be unlocked to external users. In order to check for any open resolvers on your network, The Measurement Factory's online tool can be used.
 
2. Configure it to be as secure as possible against cache poisoning. Protections built into DNS software to defend against cache poisoning include adding variability to outgoing requests, to make it difficult for a hacker to get a bogus response accepted. Possible ways of doing this include:
 
  • Using a random source port (instead of UDP port 53)
  • Randomizing the query ID
  • The case of letters of domain names those are sent out to be resolved can be Randomize. (That's because name servers will treat example.com and ExaMPle.com the same when it comes to resolving the IP address, but it will reply using the same case as the original query.)
 
3. Manage and organize your DNS servers privately with security. When it comes to your authenticated servers, you need to decide whether to host them yourself or have them hosted at a service provider or domain registrar. It is advisable to host yourself if you have the skills to do so otherwise it is better to get someone else to do for you. It is not just a matter of expertise, but also of scale.
 
4. If You Host Your Own DNS Servers,
 
  • Don't get a spot by known vulnerabilities. If you run your own name servers (probably BIND or Microsoft DNS), then it's important to keep the OS patched and up-to-date to prevent them being exploited by known vulnerabilities.
  • Separate the authenticated function from the resolving function using different servers. This reduces the possibility of your domains going offline from a denial of service attack.
  • Use a hidden primary master name server. If your primary name server is only used to serve data to slave name servers, this makes it easier to carry out maintenance and upgrades on it without rendering your domain unreachable.
  • Supervise your name servers and their status. Ensure you have visibility into any changes made to them or unexpected behavior. The quicker you can track malicious activity, the less likely your domain can be subverted.
  • Use public key infrastructure (PKI) to protect your server. In the case when you log on to your DNS servers to make changes use digital certificates to authenticate your SSH session.
  • Use a hardened OS or maven DNS appliance. Minimize the attack surface of your DNS servers by closing the ports those are not required and stopping unwanted services. DNS appliances typically offer hardened OS with automatic updates and protection against DOS attacks.
 
5. If You Use a Domain Name Registrar,
 
If your domain name servers are managed by a registrar/ any third party, it's important to confident yourself that their operations and security measures are up to scratch. The following features should be implemented to protect your DNS records.
 
  • Two-factor authentication: If an administrator is social engineered or phished into giving up your DNS account details, your account can still be safe if access depends on a second authentication factor. For example, a security token/dongle or one-time password delivered to a mobile phone.
  • DNS change locking: Some registrars offer specific security functions which have to be carried out before changes can be done to DNS settings. For example, a registrar employee may have to call a specific number to get verification from a named one of your organization before changes can be made.
  • IP-dependent logs in: Some registrars allow you to specify a single/ range of IP addresses from which you can log in to their systems. This won't protect against insider threats, but it can help keep you safe from external hackers. 
  • DNSSEC (Domain Name System Security Extensions): DNSSEC http://www.icann.org/en/about/learning/factsheets/dnssec-qaa-09oct08-en.htm  technology allows DNS information to be digitally signed so that a hacker can't tamper it.
 
No one cares about your security as much as you do. Security of an Organization should be Individual’s concern. So secure yourself hence your Organization.

Authored By - Deepti Nayak
TCS Cyber Security Practice
 
Rate this article: 
0
No votes yet
Article category: