In recent network penetration testing we’ve been seeing a lot of vulnerabilities around companies’ Domain Name System (DNS) servers. With nearly all networked applications (including web browsing, email, eCommerce and IP telephony) relying heavily on DNS, and more and more cyber attacks targeting DNS, this puts organizations at risk of major financial and reputational damage.
DNS servers are like the phone books of the Internet. They maintain a directory of domain names and corresponding Internet Protocol (IP) addresses, and translate back and forth between the two. Domain names are a lot easier for people to remember and type into their browsers, but an IP address is what your browser needs to connect to a web server.
Distributed denial of service (DDoS) attacks that target the DNS can be highly effective and difficult to block. No matter how hardened your web application may be, if your DNS infrastructure is overwhelmed by incoming requests your site will falter or crash. DNS amplification is a twist on DDoS that leverages DNS servers deployed in recursive configurations. Recursion allows DNS servers to pass off domain name resolution to other DNS servers. If access to that recursive DNS server is “open” (unrestricted), however, hackers can use it to multiply the intensity of a DDoS attack. They spoof the source addresses of DNS queries to match their target, then send as many packets as possible to “open” recursive name servers. This greatly increases the number of queries hitting the DNS.
How can you reduce the risk of DNS amplification attacks on your domain name(s)? Start by changing the configuration of any “open” recursive DNS servers you may have, so they can’t be exploited in these attacks. In some situations, you can also configure a recursive DNS server to perform recursive queries only on behalf of pre-authorized IP addresses. You can also work with your ISP to use source IP verification to reject any DNS traffic with spoofed addresses before it reaches your domain. Specialized DDoS mitigation devices and hiring DDoS mitigation services may be options for some organizations.
In DNS cache poisoning, also called DNS spoofing, hackers introduce bogus data into a DNS server’s cache, causing it to return an incorrect IP address and thus divert traffic to a malicious site. Hackers introduce “poison” data into DNS caches by exploiting various vulnerabilities in the DNS software. Your DNS servers must validate that DNS responses they receive from other servers are authentic; otherwise they could cache poison entries and serve them to users.
The most effective way to defend against DNS cache poisoning is to ensure your DNS servers are running the latest software and are configured correctly to use the latest security features. For example, the Domain Name system Security Extensions (DNSSEC) provide secure DNS authentication and thus mitigate the risk of cache poisoning.
What else can you do? Firewalls and intrusion protection systems (IPS) provide some security against DNS attacks, while also blocking attackers from exploiting your servers against others. A network traffic analyzer can also alert you to malicious DNS traffic on your network.
Most SMBs should be able to apply a combination of freeware and well described good practice to improve their security posture against DNS attacks without investing a lot of time or money. If you’re considering Denial of Service vulnerability testing or want some expert guidance on how to protect your vital DNS servers, contact Pivot Point Security.