A DNS attack is an exploit in which an unknown entity takes advantage of vulnerabilities in the domain name system (DNS). Although the DNS is quite robust, it was designed for usability, not security, and the types of DNS attacks in use today are numerous and quite complex. Typically, attackers take advantage of the plaintext communication back and forth between clients and the three types of DNS servers. Another popular attack strategy is to log in to a DNS provider's website with stolen credentials and redirect DNS records. In order to understand how DNS attacks work, it is important to understand how the domain name system works: DNS is a protocol that translates a user-friendly domain name, like WhatIs.com, into the computer-friendly IP address 206.19.49.154. When an end user types the people-friendly domain name WhatIs.com into a client's browser, a program in the client's operating system called a DNS resolver looks up WhatIs.com's numerical IP address. First, the DNS resolver checks its own local cache to see if it already has the IP address for WhatIs.com. If it doesn't have the address, the resolver then queries a DNS server to see if it knows the correct IP address for WhatIs.com. Once the resolver locates the IP address, it returns it to the requesting program and caches the address for future use. DNS servers are recursive, which means they can query each other to find a server that has cached the correct IP address -- or locate the DNS server that stores the canonical mapping for the domain name. By default, DNS queries and responses are sent in cleartext which has become a security concern that browsers like Chrome and Firefox are trying to address with DNS over HTTPS. Plaintext DNS queries can also reveal information about which websites a user visits, their IP address, and the type of computing device they used. When content filters are in place, DNS logs can capture client IDs or MAC addresses. Research has shown that DNS lookups can even be used to de-anonymize traffic from the Tor network, which was specifically designed to protect users from network surveillance and traffic analysis. To defend against DNS attacks, experts recommend implementing multifactor authentication when making changes to the organization's DNS infrastructure. Operations personnel should also monitor for any changes publicly associated with their DNS records or any digital certificates associated with their organization. Another strategy is to deploy Domain Name System Security Extensions (DNSSEC), which strengthens authentication in DNS by using digital signatures based on public key cryptography. Continue reading... |
No comments:
Post a Comment