DNS Security, A Never-Ending Story
There is no internet without DNS, but the same DNS enables malicious activity and provides a very attractive target for attackers.
The Domain Name System (DNS) is the essential Internet phone book, mapping human-readable host names into machine-readable IP addresses. Without DNS, the Internet cannot function. When their DNS service is degraded or stopped, online businesses are disrupted, they lose revenue, and their reputation is on the line.
The tremendous impact of DNS attacks was evident in October 2016, when a Mirai DDoS attack targeted DynDNS and took down Twitter, Reddit, Spotify, Github and many other popular internet services in the US for hours.
The DDoS attack against Amazon Web Services (AWS)’s Route 53 in October 2019 denied customers from accessing AWS hosted services for eight hours.
Why is DNS So Attractive for Attackers?
Attackers have developed techniques that exploit the DNS’ hierarchical infrastructure weaknesses and protocol vulnerabilities for mounting attacks against DNS services, targeting either recursive resolvers or authoritative servers. But what makes DNS such an attractive attack vector?
[You may also like: The Top Web Service Exploits in 2020]
1. DNS is Open to Everyone
The DNS infrastructure must be open and accessible to anyone to keep the internet functioning. Private networks need to allow at least outbound DNS communication to enable internet services for its users. That provides open access for everyone, including attackers. Tunneling techniques can be used by attackers to encapsulate data within the DNS protocol for various purposes such as exfiltration of confidential data or covert messaging with Command-and-Control servers.
2. The Amplification Effect
DNS queries typically return relatively small responses. However, a specially crafted DNS request can return a response that is between 50 to 100 times the size of the request. Attackers use this DNS feature to amplify DDoS attacks and achieve higher attack volumes.
3. Reflection and DNS Spoofing
DNS is a stateless protocol that largely relies on UDP to ensure scalable and fast operation. This makes DNS very attractive for attackers who can easily hide their identify by spoofing. Any attacker can craft a query to target a 3rd party victim. Combining this spoofing technique with amplification results in very large response floods towards the victim.
4. Recursive Resolver is an Easy Target
The role of the DNS recursive resolver is to provide the hostname to IP translation service for users and devices. The recursive resolver queries the DNS hierarchy from root level through top level domains until the domain name server is reached. The resolution process is iterative, in the sense that the recursive resolver completes a query-response cycle for each level in the hierarchy until the name server is reached. Each domain server in the hierarchy delegates the next domain level as the next target for the recursive resolver, and so on until the host. For effectiveness, the recursive resolver caches the response to avoid a full iterative process the next time it is queries on this domain name.
5. NXDomain Attack and Negative Caching
In a NXDomain attack, also known as the random subdomains attack or DNS water torture, the attacker crafts queries with randomly generated sub-domains of a target domain. These randomly generated sub-domains will not exist in the recursive resolver’s cache, thus causing the recursive resolver to contact the authoritative DNS for the target domain using the full iterative process described above.
The NXDomain attack technique was used in the Mirai IoT attack on DynDNS in October 2016. A large army of Mirai bots targeted a specific victim’s domain by overwhelming its domain name servers with bogus requests, causing a denial of service for the victim but also causing a large amount of collateral damage on other domains served by the same name service.
[You may also like: Happy Dyn Attack Anniversary!]
The NXDomain attack technique can also target the recursive resolver, by incurring a critical performance degradation to the resolver due to cache-miss events which result in iterative queries to the DNS hierarchy and negative caching (negative caching is when the resolver’s cache is drained by random and useless responses caused be the attack). Negative caching impairs the recursive resolver’s efficiency and resiliency to overcome such attacks, thus making the attack impact even worse.
6. NXNSAttack Attack
On May 19, 2020, academics from the Tel Aviv University and The Interdisciplinary Center in Israel discovered a vulnerability in the implementation of DNS recursive resolvers that can be abused to launch disruptive DDoS attacks against any victim. The attack leveraging the vulnerability has been dubbed NXNSAttack by the researchers. Radware published a detailed threat advisory here.
Unlike DDoS floods or application-level DDoS attacks that directly target and impact a host or a service, the NXNSAttack targets the domain name resolution capability of its victims. Like the NXDOMAIN or DNS Water Torture attack, the DDoS attack is aimed at disrupting the authoritative servers of the domain by overloading them with invalid requests using random domain request floods through recursive DNS resolvers. This attack is hard to detect and mitigate at the authoritative server because the requests originate from legitimate recursive DNS servers.
[You may also like: More Destructive Botnets and Attack Vectors Are on Their Way]
By disrupting name resolution for the domain, attackers effectively block access to all services provided under the domain. New clients will not be able to resolve the hostname of the service while under attack because they have no way of locating the IP address to connect to the service.
Unlike the limited 3x packet amplification factor of the NXDOMAIN attack, the NXNSAttack provides packet amplification factors ranging from 74x when attacking a subdomain (victim.com) up to 1621x when targeting a recursive resolver. The bandwidth amplification factors range between 21x for subdomain attacks and 163x when targeting a recursive resolver. Targeting root and top-level domain servers results in a packet amplification factor of 1071x and a bandwidth amplification factor of 99x. With high amplification rates and flexible targeting, NXNSAttack is a very capable attack vector which can be performed at scale.
Researchers have since disclosed the vulnerability and approached vendors and providers who have already patched their software and servers. Even with this disclosure, it is safe to assume that not all recursive resolvers, private and public, have been or ever will be patched. Therefore, this vector is still a major threat that can have destructive impact on the DNS infrastructure.
The Long Story of DNS Security
DNS Security Extensions (DNSSEC) were introduced in 2005 through RFC 4033, RFC 4034, and RFC 4035 in attempt to preclude spoofing and man-in-the-middle attacks. While DNSSEC is aimed at providing origin authentication and data integrity, it does not address availability or confidentiality. Furthermore, DNSSEC adoption remains a long-term challenge and has been slow. DNSSEC is enabled on most top-level domains (TLDs) only, but not widely used beyond TLDs.
Another DNS enhancement was proposed in 2018 as DNS over HTTPS or DoH (RFC 8484). DoH’s aim is to increase the privacy and security by preventing eavesdropping and manipulation of DNS data through man-in-the-middle attacks.
Both DNSSEC and DoH can help with authentication, privacy and integrity; however, they cannot protect from query floods, NXDomain and NXNSDomain attacks. In some cases, DNSSEC and DoH can cause more damage than good as it helps malicious actors to better hide and make it harder on middle-box security providers to detect and prevent malicious or random domain names.
[You may also like: What to Do When You Are Under DDoS Attack]
What Can You Do to Ensure the Availability and Security of Your DNS?
So, what can an organization do to ensure DNS availability and secure the DNS infrastructure?
- Secure the “Perimeter”—As demonstrated over and over, volumetric DNS attacks threaten the entire infrastructure and can saturate the ingress pipe. Provisioning DNS security solutions only inside the network is useless against such threats. A competent perimeter security solution for DNS is key to protecting this critical infrastructure.
- Use “Stateless” Security—High-volume floods can consume resources of stateful devices such as DNS firewall and DNS servers. In order to protect from such floods, you need a “Stateless” security solution.
- Accurate Detection—The DNS security solution must make an accurate distinction in real time between good and bad DNS requests and then permit only the good DNS requests to the protected servers. Achieving high detection accuracy requires use of behavioral algorithms that can detect and mitigate emerging zero-day DNS attacks.
- Early Detection—DNS firewalls and other stateful security systems require bi-directional traffic tracking for applying security. These solutions often rely on “bad” DNS responses (i.e., NXDomain) for detection. In some scenarios as explained above, the DNS server can be severely impacted by bogus requests, before the indication of the returning “bad” responses. You need a security solution that relies on ingress detection, namely a solution that can detect and mitigate an attack based on ingress requests only and prevent the bad queries from entering your DNS infrastructure to begin with.
The DNS infrastructure is critical to any organization and to the Internet’s normal operation.
Not securing the DNS infrastructure properly is like leaving an open window for cyber criminals—offering them free access to your network and your resources and risking your online business’ availability.