2. Home
  3. Internet Infrastructure Security and Resilience Reference Group
  4. DNS

DNS

dns_threats.jpg

map map map map map map map map map map map map map

The DNS system is exposed to threats that aim to bring down a central feature which allows convenient web browsing for non-technical users and enables flexible addressing for automated systems. Without the resolution of domain names into IP addresses the Internet is inaccessible for the general public. Attacks attempt to alter DNS records to redirect traffic, interrupt operation, or introduce censorship. The latest trends show a decrease for this sort of threat. However, this does not diminish its importance.

DNS registrar hijacking

If a DNS registrar is hijacked, all domains under its control are in jeopardy: the domain registration information can be altered, which might result in a transfer of the domain to another registrar or result in a type of identity theft. Once this has been done, the hijacker has full control of all the domains and can use them or sell them to a third party.

Example:
Popular registrar Namecheap fixes DNS hijack bug

Good Practices:

  • Registrants must protect account credentials and define authorised users, while registrars have to provide a secure authentication process.SAC044 SAC040
  • Registrants should take advantage of routine correspondence from registrar such as change notification, billing information, or WHOIS records. Hence, registrars must provide such information.SAC044 SAC040
  • Registrants should maintain documentation to “prove registration”.SAC044
  • Registrants should use separate identities for registrant, technical, administrative, and billing contacts. Thus, registrars need to allow a more complex user rights management.SAC044 SAC040
  • Registrars must establish an effective zone data management.SAC044
  • Registrars should consider supporting DNSSEC.SAC044 SAC040 BCP40
  • Registrars may monitor DNS change activities.SAC044


DNS spoofing

DNS spoofing refers to the broad category of attacks that spoof DNS records. There are many different ways to do DNS spoofing: compromise a DNS server, mount a DNS cache poisoning attack, mount a man-in-the-middle attack, guess a sequence number, and many more.

Example:

Good Practices:

 

DNS poisoning

DNS (cache) poisoning is an attack technique that allows an attacker to introduce forged DNS information into the cache of a caching domain name server. There are published articles that describe a number of inherent deficiencies in the DNS protocol and defects in common DNS implementations that facilitate DNS cache poisoning.

Examples:

Good Practices:


Domain name collision

A name collision refers to an attempt to resolve a name that is utilised in a private name space (e.g. non-delegated Top Level Domain, or a short, unqualified name), resulting in a DNS query to the public DNS, and a matching name can be retrieved. In most cases, the cause is a misconfiguration and disregards ICANN recommendations. Name collision occurrences are not new and have historically been observed and reported as queries containing non-delegated TLDs at the root level of the DNS. They have received renewed attention because many applied for new TLD strings that are identical to name space labels used in private networks.

Examples:

Good Practices:

  • Do not use random domain names that you do not own for your internal infrastructure. For example, do not consider private domain name space as top-level domains.SAC062
  • Preventing DNS request for internal namespaces to leak into the Internet by applying firewall policies.Name Collision Mitigation for Enterprise Networks
  • Use reserved TLDs such as .test, .example, .invalid, or .localhost. RFC2606

How to Secure a Domain Name Server (DNS)