The importance of the DNS security protocol in general is widely understood, particularly in today’s overall security landscape. Anyone who currently manages (or has managed) caching/recursive or authoritative DNS servers knows the pain it causes when they go down. It’s bad. Without available DNS there is no internet, at least no usable internet. Generally, most, if not all applications today rely on DNS to locate resources somewhere on the internet to function. Additionally, said apps are becoming more and more reliant on the DNS.
This presents additional challenges for DNS operators, the main one being security. I’m asked about this in nearly every meeting I have with operators around APAC.
How does DNS relate to security?
This is becoming an increasingly common conversation I have with operators. DNS relates to overall security in several ways, some may not be understood. There’s security of the DNS server itself; that part is known, but also overall network/subscriber security where the DNS simply plays a role in an attack that may not result in DNS being taken offline (think botnet, phishing attacks etc.). In the first part (the DNS server itself), the DNS protocol has been subjected to a number of high profile attacks in recent years. The most common DNS-vector attacks that we’ve seen are:
DNS Amplification Attacks
DNS Amplification attacks are an attack vector where small DNS queries, usually (but not limited to) query type ‘ANY’ (for DNSSEC signed domains), ‘TXT’, etc. are sent to recursive DNS servers with the intent of generating very large responses. The responses are often targeted toward a victim using forged source IPs (easy in UDP). The responses can be upwards of 4k in size, which, when compounded thousands of times per second, results in huge traffic volumes. When the source address is set to be a victim server (DNS is mostly UDP), that server can be inundated with DNS traffic, additionally taking out networking equipment such as switches, load balancers and the DNS infrastructure itself.
Protecting DNS servers from amplification attacks is generally achieved using multiple techniques. First, rate limiting of certain query types that are commonly used in attacks is one method (e.g., ANY and TXT) to a small, fixed QPS that won’t cause much of an issue. A better approach is combining this with specific DNS policy (on the servers themselves) to return a TC (truncated) bit when a response size is over roughly 1.5k. This approach adds even more security and prevents source address forging since TCP is used.
What’s important to note is there are generally two “categories” of amplification domains that are used: purpose-built and dual-purpose domains. In the first category, these domains are only used for DNS amplification attacks and serve no legitimate purpose. These domains can be blocked using policy (providing the domains are known). However, the second category is a bit more difficult since the domains are otherwise legitimate domains but are also used for amplification attacks. These domains cannot simply be blocked without causing collateral damage. They must have a more intelligent policy applied (e.g., rate limiting, T/C bit, etc.). Any rate limiting or policy applied to these domains should not impact legitimate queries.
DNS security is not simply about blocking bad queries, it’s also about protecting good queries.
In my next post, I’ll look at the role DNS plays in Pseudo-Random Subdomain (PRSD) attacks and other malware, explaining how the attack vectors work and where DNS comes into play to block the malicious behaviour. Stay tuned for part 2 of “The Importance of DNS in Security,” which will publish next week!