The Domain Name System (DNS) was developed to make navigating the Internet easier, but DNS security was not considered at the time. The DNS is used to convert domain names and URLs into a format that can be used by computers to find those URLs and domains – IP addresses.
During DNS resolution, the process of finding and translating a domain into its IP address, a recursive DNS query is sent by the browser to a recursive DNS server, which is usually provided by the user’s Internet service provider. The recursive DNS server may already have the IP address of that domain or URL, in which case it will provide it.
If it does not have a record in its cache, it will query other servers to find the IP address. First, a query is sent to DNS root name servers, then to top-level domain (TLD) name servers, and finally to authoritative name servers. If the IP address is found, it will be returned to the recursive DNS server, which will send it to the browser and cache the record to avoid making further queries. If not, an error message will be returned. This process is incredibly quick, even if multiple queries need to be sent by the recursive DNS server. The entire process takes a fraction of a second.
There are potential security issues with the DNS. If a threat actor wants to direct traffic to a malicious website hosting malware, an exploit kit, or a phishing form, hijacking the DNS would be a good way to do this. Someone with access to a device – either physical access or by using malware – could change the DNS settings to point to a malicious DNS server under their control and when a query is received, return the IP address of a malicious site. The same result can be achieved with DNS cache poisoning/DNS spoofing. Here, false data is distributed to caching resolvers by spoofing an authoritative DNS server.
Without DNS security, DNS tunneling can occur. This is the use of protocols to tunnel through DNS queries and use the DNS for command-and-control communications with malware, botnets, and data exfiltration. Since most security solutions – including firewalls – do not scan the DNS, these malicious communications are not detected.
DNS servers can also be targeted in denial-of-service attacks, where large numbers of dummy DNS queries are sent to a DNS server to overwhelm it, or to fill the resolver’s cache with fake data.
DNS Security Measures
There are several different approaches to take to improve DNS security. DNS Security Extensions (DNSSEC) is a security protocol that is used to prevent DNS spoofing. DNSSEC uses digital signature key pairs to secure DNS lookups and validate whether the answer – the IP address – has come from a legitimate source.
To prevent denial-of-service attacks, the operators of DNS zones can take several steps to prevent DNS servers from becoming overwhelmed, such as overprovisioning infrastructure to significantly improve capacity to several multiples of normal DNS traffic, or by using a DNS firewall for rate-limiting to stop attackers from trying to overwhelm the server.
DNS over TLS and DNS over HTTPS use encryption to prevent interception and tampering with DNS queries. Instead of plain text queries, they are encrypted so cannot be intercepted, read, or altered.
DNS security can also be provided by web filters. DNS-based web filters can be used by businesses to block command-and-control communications with malware and botnets via the DNS. These DNS security solutions are also used for content filtering, to prevent employees and guest users from accessing certain types of web content – pornography, gambling, and gaming websites for instance – and to prevent connections to malicious websites, such as those used for phishing or malware distribution. These features can be accessed by signing up with a DNS-based web filtering service and changing the recursive DNS servers to those of the service provider.