DNS Security
- to ensure DNS security on a private network:
- local DNS servers should only accept recursive queries from local hosts
- preferably authenticated local hosts
- implement access control measures on the server
- to prevent a malicious user from altering records manually
- clients should be restricted to using authorized resolvers to perform name resolution
- local DNS servers should only accept recursive queries from local hosts
- DNS should be configured to resist spoofing and poisoning attacks
- threat actor changes the record returned by a DNS query to point to different IP address, potentially a malicious machine
- Many DNS services run on BIND (Berkley Internet Name Domain)
- distributed by the Internet Systems Consortium (isc.org)
- are known vulnerabilities in many versions of the BIND server
- critical to patch the server to the latest version
- DNS footprinting
- means obtaining information about a private network by
- using its DNS server to perform a zone transfer (all the records in a domain) to a rogue DNS
- or simply by querying the DNS service using a tool such as
nslookupordig
- to prevent:
- apply an access control list to prevent zone transfers to unauthorized hosts or domains
- means obtaining information about a private network by
DNS Security Extensions
DNS Security Extensions (DNSSEC) helps to mitigate against spoofing and poisoning attacks on DNS servers by providing a validation process for DNS responses.
- when enabled, the authoritative server for the zone creates a package of resource records (called RRset) signed with a private key (the Zone Signing Key)
- when another server requests a secure record exchange,
- the authoritative server returns the package along with its public key, which is used to verify the signature
- the public Zone Signing Key is itself signed with a separate Key Signing Key
- separate keys are used so that if there is some sort of compromise of the Zone Signing Key,
- the domain can continue to operate securely by revoking the compromised key and issuing a new one
- separate keys are used so that if there is some sort of compromise of the Zone Signing Key,
- the Key Signing Key for a particular domain is validated by the parent domain or host ISP
- the top-level domain trusts are validated by the Regional Internet Registries
- the DNS root servers are self-validated
- using a type of M-of-N control group signing key
- establishes a chain of trust from the root servers down to any particular subdomain
DNS Client Security
DNS client security uses transport encryption to prevent an on-path threat actor tampering with responses to DNS queries.
- whereas DNSSEC validates records held by a name server
- two protocols for securing DNS queries:
- DNS over transport layer security (DoT)
- uses Transport Layer Security (TLS) to validate resolver name server’s digital certificate
- mitigates the risk of a threat actor using a rogue DNS server to spoof the legitimate one
- if the client trusts the certificate, the subsequent DNS traffic will be encrypted
- works over TCP port 853
- DNS over hypertext transfer protocol secure (DoH)
- validates the resolver certificate and encrypts the DNS traffic by encapsulating it within HTTP Secure packets
- uses the HTTPS standard port TCP/443
- completely disguises the fact that the client is making DNS queries
- downside is that the additional HTTP headers add overhead to each query and response
- DNS over transport layer security (DoT)
Info
- DoH and DoT provide better privacy
- in addition to protecting against malicious attacks
- plain text queries can be read by anyone operating a network appliance in the path between the client and resolver
- encrypting the queries and responses prevents this snooping
- conversely, admins of a corporate network need to ensure that clients use the authorized resolvers
- will often prefer to monitor DNS traffic