Preface xiii

Acknowledgments xvii

1 INTRODUCTION 1

Why Attack DNS? 1

Network Disruption 2

DNS as a Backdoor 2

DNS Basic Operation 3

Basic DNS Data Sources and Flows 4

DNS Trust Model 5

DNS Administrator Scope 6

Security Context and Overview 7

Cybersecurity Framework Overview 7

Framework Implementation 9

What s Next 15

2 INTRODUCTION TO THE DOMAIN NAME SYSTEM (DNS) 17

DNS Overview Domains and Resolution 17

Domain Hierarchy 18

Name Resolution 18

Zones and Domains 23

Dissemination of Zone Information 25

Additional Zones 26

Resolver Configuration 27

Summary 29

3 DNS PROTOCOL AND MESSAGES 31

DNS Message Format 31

Encoding of Domain Names 31

Name Compression 32

Internationalized Domain Names 34

DNS Message Format 35

DNS Update Messages 43

The DNS Resolution Process Revisited 48

DNS Resolution Privacy Extension 55

Summary 56

4 DNS VULNERABILITIES 57

Introduction 57

DNS Data Security 57

DNS Information Trust Model 59

DNS Information Sources 60

DNS Risks 61

DNS Infrastructure Risks and Attacks 62

DNS Service Availability 62

Hardware/OS Attacks 63

DNS Service Denial 63

Pseudorandom Subdomain Attacks 67

Cache Poisoning Style Attacks 67

Authoritative Poisoning 71

Resolver Redirection Attacks 73

Broader Attacks that Leverage DNS 74

Network Reconnaissance 75

DNS Rebinding Attack 77

Reflector Style Attacks 78

Data Exfiltration 79

Advanced Persistent Threats 81

Summary 83

5 DNS TRUST SECTORS 85

Introduction 85

Cybersecurity Framework Items 87

Identify 87

Protect 87

Detect 88

DNS Trust Sectors 88

External DNS Trust Sector 91

Basic Server Configuration 93

DNS Hosting of External Zones 97

External DNS Diversity 97

Extranet DNS Trust Sector 98

Recursive DNS Trust Sector 99

Tiered Caching Servers 100

Basic Server Configuration 101

Internal Authoritative DNS Servers 103

Basic Server Configuration 105

Additional DNS Deployment Variants 108

Internal Delegation DNS Master/Slave Servers 109

Multi–Tiered Authoritative Configurations 109

Hybrid Authoritative/Caching DNS Servers 111

Stealth Slave DNS Servers 111

Internal Root Servers 111

Deploying DNS Servers with Anycast Addresses 113

Other Deployment Considerations 118

High Availability 118

Multiple Vendors 118

Sizing and Scalability 118

Load Balancers 119

Lab Deployment 119

Putting It All Together 119

6 SECURITY FOUNDATION 121

Introduction 121

Hardware/Asset Related Framework Items 122

Identify: Asset Management 122

Identify: Business Environment 123

Identify: Risk Assessment 124

Protect: Access Control 126

Protect: Data Security 127

Protect: Information Protection 129

Protect: Maintenance 130

Detect: Anomalies and Events 131

Detect: Security Continuous Monitoring 131

Respond: Analysis 132

Respond: Mitigation 132

Recover: Recovery Planning 133

Recover: Improvements 133

DNS Server Hardware Controls 134

DNS Server Hardening 134

Additional DNS Server Controls 136

Summary 137

7 SERVICE DENIAL ATTACKS 139

Introduction 139

Denial of Service Attacks 139

Pseudorandom Subdomain Attacks 141

Reflector Style Attacks 143

Detecting Service Denial Attacks 144

Denial of Service Protection 145

DoS/DDoS Mitigation 145

Bogus Queries Mitigation 147

PRSD Attack Mitigation 148

Reflector Mitigation 148

Summary 151

8 CACHE POISONING DEFENSES 153

Introduction 153

Attack Forms 154

Packet Interception or Spoofing 154

ID Guessing or Query Prediction 155

Name Chaining 155

The Kaminsky DNS Vulnerability 156

Cache Poisoning Detection 159

Cache Poisoning Defense Mechanisms 160

UDP Port Randomization 160

Query Name Case Randomization 161

DNS Security Extensions 161

Last Mile Protection 167

9 SECURING AUTHORITATIVE DNS DATA 169

Introduction 169

Attack Forms 170

Resolution Data at Rest 170

Domain Registries 170

DNS Hosting Providers 171

DNS Data in Motion 172

Attack Detection 172

Authoritative Data 172

Domain Registry 173

Domain Hosting 173

Falsified Resolution 173

Defense Mechanisms 174

Defending DNS Data at Rest 174

Defending Resolution Data in Motion with DNSSEC 176

Summary 186

10 ATTACKER EXPLOITATION OF DNS 187

Introduction 187

Network Reconnaissance 187

Data Exfiltration 188

Detecting Nefarious use of DNS 189

Detecting Network Reconnaissance 189

DNS Tunneling Detection 190

Mitigation of Illicit DNS Use 193

Network Reconnaissance Mitigation 193

Mitigation of DNS Tunneling 193

11 MALWARE AND APTS 195

Introduction 195

Malware Proliferation Techniques 196

Phishing 196

Spear Phishing 196

Downloads 196

File Sharing 197

Email Attachments 197

Watering Hole Attack 197

Replication 197

Implantation 197

Malware Examples 198

Malware Use of DNS 198

DNS Fluxing 198

Dynamic Domain Generation 202

Detecting Malware 202

Detecting Malware Using DNS Data 203

Mitigating Malware Using DNS 206

Malware Extrication 206

DNS Firewall 207

Summary 210

12 DNS SECURITY STRATEGY 213

Major DNS Threats and Mitigation Approaches 214

Common Controls 214

Disaster Defense 214

Defenses Against Human Error 220

DNS Role–Specific Defenses 220

Stub Resolvers 220

Forwarder DNS Servers 221

Recursive Servers 221

Authoritative Servers 222

Broader Security Strategy 222

Identify Function 223

Protect Function 224

Detect Function 225

Respond Function 226

Recover Function 227

13 DNS APPLICATIONS TO IMPROVE NETWORK SECURITY 229

Safer Web Browsing 230

DNS–Based Authentication of Named Entities (DANE) 230

Email Security 232

Email and DNS 233

DNS Block Listing 237

Sender Policy Framework (SPF) 238

Domain Keys Identified Mail (DKIM) 242

Domain–Based Message Authentication, Reporting, and

Conformance (DMARC) 245

Securing Automated Information Exchanges 246

Dynamic DNS Update Uniqueness Validation 246

Storing Security–Related Information 247

Other Security Oriented DNS Resource Record Types 247

Summary 251

14 DNS SECURITY EVOLUTION 253

Appendix A: Cybersecurity Framework Core DNS Example 257

Appendix B: DNS Resource Record Types 285

Bibliography 291

Index 299

 

Michael Dooley is responsible for overall operations of the BT Diamond IP division. Mr. Dooley has more than 20 years of experience managing and developing large scale software products and has contributed significantly to the evolution of Internet technologies, particularly related to IP addressing, DHCP and DNS. In 2013 he co–authored the Wiley–IEEE Press title IPv6 Deployment and Management.

Timothy Rooney manages BT Diamond IP product development and has led the market introduction of four next–generation IP management systems: NetControl, IPControl, Sapphire appliances and ImageControl. In 2010, he authored the Wiley–IEEE Press title Introduction to IP Address Management and in 2011, IP Address Management Principles and Practice. In 2013 Mr. Rooney co–authored the Wiley–IEEE Press title IPv6 Deployment and Management.

An advanced Domain Name System (DNS) security resource that explores the operation of DNS, its vulnerabilities, basic security approaches, and mitigation strategies

DNS Security Management offers an overall role–based security approach and discusses the various threats to the Domain Name Systems (DNS). This vital resource is filled with proven strategies for detecting and mitigating these all too frequent threats. The authors noted experts on the topic offer an introduction to the role of DNS and explore the operation of DNS. They cover a myriad of DNS vulnerabilities and include preventative strategies that can be implemented.

Comprehensive in scope, the text shows how to secure DNS resolution with the Domain Name System Security Extensions (DNSSEC), DNS firewall, server controls, and much more. In addition, the text includes discussions on security applications facilitated by DNS, such as anti–spam, SFP, and DANE. This important resource:

• Presents security approaches for the various types of DNS deployments by role (e.g., recursive vs. authoritative)
• Discusses example configurations for leading DNS implementations to illustrate security controls
• Examines DNS data collection, incident detection, and data analytics strategies

With cyber attacks ever on the rise worldwide, DNS Security Management offers network engineers a much–needed resource that provides a clear understanding of the threats to networks in order to mitigate the risks and assess the strategies to defend against threats.