Latest Defensive Practices against DNS Security Threats

In less than five years, more than 30 billion devices will be connected to the internet. Therefore, there will be more work for the Domain Name System (DNS). Unfortunately the number of threats to dns security is rising with every additional connection of devices to the internet, giving hackers a field day. Thus, businesses and innovative enterprises have to work round the clock in search for new ways of protection.

Up-to-date Software

While there is continuous development of new means of protection against DNS attacks, hackers are also working hard in coming up with new ways of demolishing them. Remember, there is no way of annihilating all DNS attacks. You can, however, beat them by using the latest versions of protective software.

Authoritative and Recursive Servers

One of the ways hackers may use to compromise your dns security is blocking your access to an internet service. Usually, they do this by filling the website you are keen on visiting with so many queries that the traffic volumes become too high for you to access it. In addition, hackers may create malware in a computer with the aim of spreading it to all other computers in the same network.

Authoritative servers only respond to queries they are sure of and enable the disabling of recursive. To boost security, you can always include another DNS server with separate authoritative and recursive features but within one appliance with the other one. Additionally, efficiency and reliability of the DNS services is greatly improved.

Hybrid DNS

Vulnerability in the software of your DNS server may be easily overlooked, leaving a loophole for attackers to exploit in an attempt to compromise it. The best way to protect yourself against such an unexpected attack is running different algorithm types on different DNS engines, thus confusing the attackers. In the event that the dns security system gives a new security alert, you can temporarily move to an alternative engine. Meanwhile, security upgrades on the original engine can be patched, tested and validated. In addition, it would be hard for attackers to know which software is in operation.

Firewall Protection

The basic means of putting up a guard against malware is installation of a DNS firewall. It prevents diversion of your workstation to suspect sites. In addition, the firewall prevents spreading of infectious malware by putting the infected user in Walled Garden isolation. Therefore, the administrator will receive notification whenever a user is infected and take the necessary action.

The rise of internet use in cloud solutions, mobile and billions of other devices connected to the internet presents a good opportunity for DNS attackers to engage in their trade. To be safe, therefore, you must always be ahead of the game by being on the lookout for up-to-date dns security strategies.

IETF Advises Cookies for Enhanced DNS Security

The Internet Engineering Task Force or IETF is a structured pursuit of the Internet Society or ISOC, which is a non-profit organization. The core mission of the IETF is to produce technical documents that can help organizations and individuals design, manage and use the Internet more effectively. A recent IETF publication advises that developers can enhance DNS security against denial-of-service exploits by adding cookies, those same files used to track user sessions on the Web.

Fundamental Issues with DNS

The domain name system or DNS is a fundamental yet old and arguably outmoded aspect of the foundation of the Internet. Its most basic and essential function is to translate between IP addresses and addresses that humans can read and remember easily. dns security is a substantial and increasing security concern because DNS is often manipulated as traffic amplifiers in DoS attacks.

Introducing RFC 7873

In RFC 7873, which was put forth by IETF participants Donald Eastlake and Mark Andrews, the authors explore the idea that these amplification attacks could be mitigated and thus DNS security enhanced via cookie deployment. The document defines a cookie as being a lightweight mechanism for security transactions, which could provide limited but useful and efficient protection against amplification, forgery, cache poisoning and other DNS security concerns.

How Cookies Would Work

Such cookies could not be used to track users since they’d only be returnable to the originating address, and the added protection would come via the fact that attackers would need to guess the 64-bit value of the cookie, which would be nigh impossible given the time limitations. Client cookies would be created by using the server IP address, the client IP address and a randomized value known only to the client. Server cookies would be similar, but the secret value would be known only to the server.

Practical Applications

The document also provides a number of practical illustrations of how these cookies can enhance DNS security in real-world scenarios, such as:

• Server DoS — A cookie would make it easy to identify fake requests. This would not eliminate the impact, but it would mitigate it greatly by avoiding unnecessary cryptographic mechanisms, recursive queries and other resource-intensive operations.

• DNS Amplification — Amplification attacks are successful because of heightened traffic, but cookies would make it difficult for attackers to achieve much more than limited error responses. That wouldn’t be very useful to them and would theoretically eliminate amplification as a security risk.

• Forged addresses — Basic DoS attacks employ forged client addresses. Cookies won’t help thwart such attacks, but they would make it much easier to identify legitimate communication. That’s half the battle since resources can be allocated to the appropriate clients more easily.

Understanding the DNS Domain Namespace


Domain Name System (DNS) is basically an Internet related phenomenon that transforms domain names into IP number addresses. The Internet, is really based on IP addresses. Every time you use a domain name, a DNS application immediately translates the nomenclature into the matching IP. For example, the domain name might translate to domain names are alphabetic, they’re easier to remember.

It is a fun fact that you have come across the DNS system as you surfed the web, without even realizing it.  As is the case with everything on the web, the DNS is nothing but a set of rules, or protocols in the nerd lingo that standardizes the exchange of data and signals over the internet including private and public networks known as the TCP/IP set of rules. Its basic job is to act as a GPS for the computer internet system identifying each entity with a unique DNS that can be read to represent an IP address, hence deciding the identity of the system involved.

Now, as you can imagine, it is a great hassle to have a phonebook kind of database for the zillions of IP addresses around and virtually impossible to remember and implement functions using such addresses. Hence, a DNS is used which manages the huge mapping of the network and enables a user to connect to other entities over the web. Without DNS servers, the whole web paraphernalia would be down quickly making the world digitally paralyzed.

But how can a computer decide or even decipher what DNS server is to be used? Here your ISP (Internet Service Provider) comes into play and through your Wi-Fi or router modem, send some important configuration settings to your computing device. It is in a series of steps that the computer deciphers how to transport you to a website:

  1. First it initiates a DNS query with regards to the hostname or URL that you have put in, provided the same is not available in the local DNS cache.
  2. The DNS servers of your ISP would do the necessary toiling to find the query and if found, the information is returned to the user.
  3. After this, if the information is not found, the recursive DNS servers would be engaged.
  4. If the same is not found even there, then root name servers will be brought in. A root name server is essentially a system built to answer queries about the domain names and IP addresses. It would perform the basic function of a telephone switchboard in this process of translating the DNS into IP.
  5. Next, the TLD name servers or the authoritative DNS servers would be tasked to find the query and the DNS record would be found and this signal intimated.
  6. Finally, the required record (which has a limited time-to-live value, requiring a new copy after said time expires) would be found amidst a whole array of different types of records and the retrieved answer would be sent back to the system where the query had originally been initialized.

What is sure to amaze you is that this entire bureaucracy of queries and server searches take only about a few milliseconds to execute. The DNS system is a network of its own, and if one node does not know the answer, another is sure to be engaged. Overall, however complicated it might sound, it is really just a cog in the wheel to make it easier to obtain and understand information.

Why DNS Protection is an Absolute Necessity?

DNS (Domain Name System) is one of the most fundamental things which constitute the whole operations of internet. In simple words, Domain Name System is used each and every time an individual visits a website, initiates an e-mail, receives and e-main or chat with friends over internet messaging services. In shorts, no matter whatever you do over internet, DNS pays a vital role from the initiation of the action, to the execution of the action, to the ultimate completion.

Before I start on why DNS protection is necessary, let me give you an idea on what could happen if the DNS is not protected. Back in 2008, Dan Kaminsky discovered a very serious loophole in DNS system. With this DNS vulnerability, any hacker can redirect a network query to the servers of his choice.
This discovery of Dan Kaminsky led to the concept of DNS Cache Poisoning.

What is Cache Poisoning?
Assuming an attacker has complete knowledge of how DNS works, Cache poisioning can be a piece of cake for the attacker. In this, the attacked somehow figures out how to infuse sham information into a nameserver’s cache.

This infusion then leads to the infection of local client’s devices that are clueless about this whole attack. When the devices of local clients get infected, the nameserver treats the bogus packet of information as a genuine one and hence, the DNS breaks down while leaking all the personal and private data to the attacker.

Do not get Cache Poisoning confused as traditional Phishing attacks.

How Cache Poisoning is different from traditional Phishing techniques?
It is true that the target result of both the cache poisoning and phishing is the same thing: Making the person unsuspected about the bogus site and treat it as the real URL but they are not the same.
In Phishing, a similar looking webpage is developed by notorious attackers with HTML and CSS skills to fool the user. In this technique, no technical knowledge of DNS functionality is required. Also, if the end user is a bit skilled in coding, he can easily identify the phishing attack just by merely comparing the HTML source codes of real and duplicate pages.

Whereas, in DNS Cache Poisoning, the infrastructure of DNS gets compromised. It takes the advantage of the natural fundamental working capability of DNS. In this, the attacker re-routs the real hostnames to the attacker’s servers. Also, this technique requires professional knowledge of DNS infrastructure and the attack cannot be identified by comparing any kind of source codes.

Why DNS Protection is Necessary?
By now, you must have known how venerable DNS is. Now let me tell you why DNS protection is an absolute necessity.
The whole networking communication of any corporate office revolves around the DNS infrastructure. It shouldn’t come as a surprise if a competitor wants to take your server down.
What will be their first and foremost approach?
To take down the most venerable part of your system.
That is an unprotected DNS for you! If you don’t want the attacker to take your server down with your private and personal information, get a DNS protection system now!