DNS
The DNS system is exposed to threats that aim to bring down a central feature which allows convenient web browsing for non-technical users and enables flexible addressing for automated systems. Without the resolution of domain names into IP addresses the Internet is inaccessible for the general public. Attacks attempt to alter DNS records to redirect traffic, interrupt operation, or introduce censorship. The latest trends show a decrease for this sort of threat. However, this does not diminish its importance.
DNS registrar hijacking
If a DNS registrar is hijacked, all domains under its control are in jeopardy: the domain registration information can be altered, which might result in a transfer of the domain to another registrar or result in a type of identity theft. Once this has been done, the hijacker has full control of all the domains and can use them or sell them to a third party.
Example:
• Popular registrar Namecheap fixes DNS hijack bug
Good Practices:
- Registrants must protect account credentials and define authorised users, while registrars have to provide a secure authentication process.SAC044 SAC040
- Registrants should take advantage of routine correspondence from registrar such as change notification, billing information, or WHOIS records. Hence, registrars must provide such information.SAC044 SAC040
- Registrants should maintain documentation to “prove registration”.SAC044
- Registrants should use separate identities for registrant, technical, administrative, and billing contacts. Thus, registrars need to allow a more complex user rights management.SAC044 SAC040
- Registrars must establish an effective zone data management.SAC044
- Registrars should consider supporting DNSSEC.SAC044 SAC040 BCP40
- Registrars may monitor DNS change activities.SAC044
DNS spoofing
DNS spoofing refers to the broad category of attacks that spoof DNS records. There are many different ways to do DNS spoofing: compromise a DNS server, mount a DNS cache poisoning attack, mount a man-in-the-middle attack, guess a sequence number, and many more.
Example:
Good Practices:
- Deploying DNSSEC aims to secure DNS clients (resolvers) origin authentication of DNS data, authenticated denial of existence, and data integrity.ENISA Good practices guide for deploying DNSSEC DRAFT DNSOP Poisoning Measures
DNS poisoning
Examples:
- Multiple DNS implementations vulnerable to cache poisoning
- ANSSI Abusing anti-DDoS mechanisms to perform DNS cache poisoning
- Fragmentation considered poisonous
Good Practices:
- Deploying DNSSEC aims to secure DNS clients (resolvers) origin authentication of DNS data, authenticated denial of existence, and data integrity.BCP40 ENISA Good practices guide for deploying DNSSEC DRAFT DNSOP Poisoning Measures
- Restrict zone transfers to reduce load on systems and network.NIST How to Secure a Domain Name Server (DNS)
- Restrict dynamic updates to only authorised sources in order to avoid misuse. Such misuse include the abuse of a DNS server as an amplifier, DNS cache poisoning…NIST How to Secure a Domain Name Server (DNS)
- Set up the authoritative name server as non-recursive. Separate recursive name servers from the authoritative name server.NIST How to Secure a Domain Name Server (DNS)
- Allow DNS transport over TCP to support non-standard queries. Moreover, TCP may be necessary for DNSSEC.BSI
Handlungsempfehlungen
Domain name collision
A name collision refers to an attempt to resolve a name that is utilised in a private name space (e.g. non-delegated Top Level Domain, or a short, unqualified name), resulting in a DNS query to the public DNS, and a matching name can be retrieved. In most cases, the cause is a misconfiguration and disregards ICANN recommendations. Name collision occurrences are not new and have historically been observed and reported as queries containing non-delegated TLDs at the root level of the DNS. They have received renewed attention because many applied for new TLD strings that are identical to name space labels used in private networks.
Examples:
- Name Collision in the DNS
- Looking at corp.com as a proxy for .corp
- Reports for alternate path to delegation published
Good Practices:
- Do not use random domain names that you do not own for your internal infrastructure. For example, do not consider private domain name space as top-level domains.SAC062
- Preventing DNS request for internal namespaces to leak into the Internet by applying firewall policies.Name Collision Mitigation for Enterprise Networks
- Use reserved TLDs such as .test, .example, .invalid, or .localhost. RFC2606
How to Secure a Domain Name Server (DNS)