DNS Protection is the concept of safeguarding the DNS service as a whole, sometimes with a focus on security. DNS security can be divided into two categories: protection of the DNS service itself and protection of the overall security posture.
Why is DNS security important?
Standard DNS queries, which are necessary for practically all online traffic, open the door to DNS vulnerabilities such as DNS hijacking and man-in-the-middle attacks. These attacks can reroute a website's inbound traffic to a bogus duplicate of the site, gathering sensitive user information and exposing enterprises to significant liability. Adopting the DNSSEC protocol is one of the most well-known methods of protecting against DNS attacks.
What Is DNSSEC?
Like many internet protocols, the DNS system was not designed with security in mind and contains several design limitations. These limitations, combined with advances in technology, have made it easy for attackers to hijack a DNS lookup for malicious purposes, such as sending a user to a fraudulent website that can distribute malware or collect personal information. The DNS Security Extensions (DNSSEC) is a security protocol created to mitigate this problem. DNSSEC protects against attacks by digitally signing data to help ensure its validity. In order to ensure a secure lookup, the signing must happen at every level in the DNS lookup process.
This signing process is similar to someone signing a legal document with a pen; that person signs with a unique signature that no one else can create, and a court expert can look at that signature and verify that the document was signed by that person. These digital signatures ensure that data has not been tampered with.
DNSSEC implements a hierarchical digital signing policy across all layers of DNS. For example, in the case of a ‘google.com’ lookup, a root DNS server would sign a key for the .COM nameserver, and the .COM nameserver would then sign a key for google.com’s authoritative nameserver.
While increased security is always preferable, DNSSEC is meant to be backwards-compatible so that standard DNS lookups continue to resolve correctly, but without the enhanced security. DNSSEC is intended to function in conjunction with other security measures such as SSL/TLS as part of a comprehensive Internet security strategy.
DNSSEC establishes a trust train that extends all the way up to the root zone. This chain of trust cannot be broken at any level of DNS, or else the request will be vulnerable to a man-in-the-middle attack.
To complete the chain of trust, the root zone itself must be authenticated (shown to be free of tampering or fraud), which is accomplished through human interaction. Interestingly, in what is known as a Root Zone Signing Ceremony, selected individuals from around the world gather to sign the root DNSKEY RRset in a public and audited manner.
Here is a more detailed explanation of how DNSSEC works
What are some common attacks involving DNS?
DNSSEC is a robust security technology, however, it is not yet widely used. This lack of adoption, combined with other possible weaknesses, and the fact that DNS is a key part of the majority of internet requests, make the DNS a prime target for malicious attacks.
Here are some of the most typical ways that attackers target and exploit DNS servers:
DNS spoofing/cache poisoning: This is an attack in which falsified DNS data is inserted into a DNS resolver's cache, causing the resolver to report an erroneous IP address for a domain. Instead of traveling to the right website, traffic can be diverted to a malicious machine or wherever else the attacker wishes; frequently, this will be a clone of the original site used for malevolent purposes such as distributing malware or collecting login information.
DNS tunneling: This attack leverages other protocols to tunnel through DNS queries and responses. Attackers can utilize SSH, TCP, or HTTP to inject malware or stolen information into DNS queries, going unnoticed by most firewalls.
DNS hijacking: The attacker sends queries to a different domain name server in DNS hijacking. This can be accomplished through the use of malware or the unauthorized alteration of a DNS server. Although the outcome is similar to DNS spoofing, this is a fundamentally distinct attack in that it affects the website's DNS record on the nameserver rather than a resolver's cache.