DNS Security and Protections (DNSSEC)

The Domain Name System (DNS) is often called the "phonebook of the internet" because it translates human-readable domain names (e.g., example.com) into IP addresses (192.168.1.1) that computers use to communicate. However, traditional DNS was designed for speed and efficiency, not security.

Cybercriminals exploit DNS vulnerabilities for attacks such as DNS spoofing, cache poisoning, and hijacking, leading to data theft, phishing attacks, and malware distribution. To address these threats, DNS Security (DNSSEC) was introduced to enhance DNS integrity and authenticity.

In this lesson, we will explore DNS fundamentals, common DNS threats, and security measures, including DNSSEC.

How DNS Works

When you enter a website URL (e.g., www.example.com), your device follows these steps to resolve the IP address:

1. Querying the Recursive Resolver

Your computer first contacts a recursive DNS resolver (usually provided by your ISP or a public service like Google DNS 8.8.8.8).

2. Contacting the Root DNS Server

The recursive resolver asks the root DNS server, which directs it to the appropriate Top-Level Domain (TLD) server (e.g., .com servers).

3. Querying the TLD Name Server

The TLD name server (e.g., .com registry) tells the resolver where to find the authoritative name server for the domain.

4. Fetching the IP from the Authoritative Name Server

The authoritative DNS server for example.com provides the IP address (e.g., 192.0.2.1).

5. Returning the IP Address to the User’s Device

Your device connects to the provided IP and loads the website.

While this system works efficiently, it lacks built-in security mechanisms, making it vulnerable to various attacks.

Common DNS Security Threats

1. DNS Spoofing / Cache Poisoning

DNS spoofing (or cache poisoning) is an attack where a malicious actor inserts false DNS records into a resolver’s cache, directing users to fraudulent sites.

Example:

A hacker poisons a DNS cache so that banking-site.com resolves to 192.168.1.100, which is a phishing site.
When users try to log in, they unknowingly enter credentials on a fake website controlled by the attacker.

2. DNS Hijacking

An attacker compromises a DNS server or alters settings on a victim’s device to redirect users to malicious websites.

Example:

A user’s router is infected with malware that changes its DNS settings to use an attacker-controlled DNS server.
Instead of resolving legitimate websites, it directs users to phishing or malware-infected pages.

3. Man-in-the-Middle (MITM) Attacks on DNS

Attackers intercept DNS queries and modify responses before they reach the user.

Example:

A hacker on a public Wi-Fi network intercepts DNS requests and redirects all traffic to a rogue site, leading to credential theft.

4. DDoS Attacks on DNS Infrastructure

Attackers flood DNS servers with traffic, causing outages and preventing legitimate users from accessing services.

Example:

The 2016 Dyn DNS Attack: A massive botnet (Mirai) attacked the Dyn DNS provider, disrupting major websites like Twitter, Reddit, and Netflix.

DNS Security Enhancements

To mitigate DNS threats, organizations implement several DNS security mechanisms, including DNSSEC, encrypted DNS protocols, and threat intelligence filtering.

1. DNSSEC (Domain Name System Security Extensions)

DNSSEC is a security protocol that protects DNS integrity by using cryptographic signatures to verify the authenticity of DNS responses.

How DNSSEC Works:

Digital Signatures: DNSSEC digitally signs DNS records to ensure that the response has not been altered.
Public Key Cryptography: DNSSEC uses public and private key pairs to verify DNS records.
Chain of Trust: DNSSEC builds a hierarchical trust system, starting from the root DNS servers down to individual domains.

Example:

Without DNSSEC: An attacker could modify DNS records undetected, redirecting users to fake sites.
With DNSSEC: The resolver validates signatures before accepting a DNS response, ensuring authenticity.

2. Encrypted DNS Protocols (DoH & DoT)

Traditional DNS queries are sent unencrypted, allowing attackers to intercept and manipulate them. DNS over HTTPS (DoH) and DNS over TLS (DoT) encrypt DNS traffic, preventing eavesdropping and manipulation.

DNS over HTTPS (DoH)

Encrypts DNS queries using HTTPS (port 443).
Used by browsers like Chrome and Firefox.
Example: Even if an attacker intercepts traffic, the DNS query remains encrypted and unreadable.

DNS over TLS (DoT)

Encrypts DNS queries using TLS encryption (port 853).
Used in mobile networks and ISP DNS resolvers.

3. Threat Intelligence and DNS Filtering

Organizations use DNS filtering to block access to malicious domains based on threat intelligence feeds.

Example:

If a phishing website is identified, DNS filtering services (e.g., OpenDNS) automatically block access to it.

4. Using Private and Internal DNS Servers

Organizations set up internal DNS servers for corporate networks to prevent external threats.
Example: A company might configure its Active Directory DNS to resolve internal resources securely.

Best Practices for DNS Security

1. Enable DNSSEC on Domains and Name Servers

Ensures DNS responses are digitally signed and verified.

2. Use Secure and Trusted DNS Resolvers**

Use Google Public DNS (8.8.8.8), Cloudflare (1.1.1.1), or Quad9 (9.9.9.9).

3. Implement DoH or DoT for Encrypted DNS Traffic

Prevents DNS queries from being intercepted or modified.

4. Monitor and Log DNS Traffic

Detect anomalies and prevent DNS-based attacks.

5. Use DNS Filtering to Block Malicious Domains

Prevents users from accessing phishing or malware-infected sites.

6. Regularly Update DNS Server Software

Patching vulnerabilities reduces attack risks.

Key Takeaways

DNS translates domain names to IP addresses, making it a critical part of internet infrastructure.
DNS spoofing, hijacking, and MITM attacks can redirect users to malicious websites.
DNSSEC uses cryptographic signatures to verify DNS responses and prevent tampering.
Encrypted DNS protocols (DoH and DoT) protect against eavesdropping and manipulation.
Threat intelligence, DNS filtering, and secure DNS resolvers enhance overall security.

DNS Security and Protections (DNSSEC)

How DNS Works​

1. Querying the Recursive Resolver​

2. Contacting the Root DNS Server​

3. Querying the TLD Name Server​

4. Fetching the IP from the Authoritative Name Server​

5. Returning the IP Address to the User’s Device​

Common DNS Security Threats​

1. DNS Spoofing / Cache Poisoning​

2. DNS Hijacking​

3. Man-in-the-Middle (MITM) Attacks on DNS​

4. DDoS Attacks on DNS Infrastructure​

DNS Security Enhancements​

1. DNSSEC (Domain Name System Security Extensions)​

2. Encrypted DNS Protocols (DoH & DoT)​

DNS over HTTPS (DoH)​

DNS over TLS (DoT)​

3. Threat Intelligence and DNS Filtering​

4. Using Private and Internal DNS Servers​

Best Practices for DNS Security​

1. Enable DNSSEC on Domains and Name Servers​

2. Use Secure and Trusted DNS Resolvers**​

3. Implement DoH or DoT for Encrypted DNS Traffic​

4. Monitor and Log DNS Traffic​

5. Use DNS Filtering to Block Malicious Domains​

6. Regularly Update DNS Server Software​

Key Takeaways​

How DNS Works

1. Querying the Recursive Resolver

2. Contacting the Root DNS Server

3. Querying the TLD Name Server

4. Fetching the IP from the Authoritative Name Server

5. Returning the IP Address to the User’s Device

Common DNS Security Threats

1. DNS Spoofing / Cache Poisoning

2. DNS Hijacking

3. Man-in-the-Middle (MITM) Attacks on DNS

4. DDoS Attacks on DNS Infrastructure

DNS Security Enhancements

1. DNSSEC (Domain Name System Security Extensions)

2. Encrypted DNS Protocols (DoH & DoT)

DNS over HTTPS (DoH)

DNS over TLS (DoT)

3. Threat Intelligence and DNS Filtering

4. Using Private and Internal DNS Servers

Best Practices for DNS Security

1. Enable DNSSEC on Domains and Name Servers

2. Use Secure and Trusted DNS Resolvers**

3. Implement DoH or DoT for Encrypted DNS Traffic

4. Monitor and Log DNS Traffic

5. Use DNS Filtering to Block Malicious Domains

6. Regularly Update DNS Server Software

Key Takeaways