DNS (Domain Name System) – a system that keeps the information about Internet domains, with its key function being to provide the IP address of a node or other resource upon receiving its full domain name.
Contents:
Protecting DNS servers from attacks
What is DNS?
Each web site on the Internet, as well as networks based on its standards, has its own unique network address, consisting of four bytes (in the IPv4 version) or 16 bytes (in the IPv6 version). In symbolic form, it can be represented, for example, like this: 192.124.0.8 (IPv4) or like this: 2001: 0fb6: 89ac: 0000: 0000: 8a4b: 0330: 8634 (IPv6). It can be difficult to understand which host of the network from such a notation, therefore it is customary to designate hosts by domain names on the Internet, for example, www.stormwall.network. A fully qualified domain name is essentially a synonym for an IP address, a more “human” name that many users will understand.
A domain name looks like a sequence of domains (symbolic names of areas of the Internet, arranged in a hierarchical system), with periods as separators. For example, domain1 in the domain name domain3.domain2.domain1 is the top-level domain of the hierarchy, domain2 is the second-level domain, and domain3 is the third-level domain. Similarly, in the domain name www.stormwall.network, the network domain is the top-level domain of the hierarchy, stormwall is the second-level domain, and www is the third-level domain.
The correspondence between domain names and IP addresses is precisely what the DNS system provides – it allows you to access individual Internet sites not by a “mysterious” (from the point of view of people) IP address, but by a domain name, indicating it, for example, in a browser or in a request to a remote database.
DNS Servers
DNS operation is supported by many geographically distributed software servers arranged in a hierarchical (tree-like) structure.
The system works like this. A browser or other program that interacts with the Internet sends a request to the “closest” DNS server so that it finds the IP address of the desired host using the domain name. If this DNS server “knows” the address, it returns it as a response to the request. If the DNS server cannot find the address in its database, then it sends a request to the server higher in the hierarchy or to the root. The upstream server considers the request and proceeds in the same way: either it finds and sends the IP address of the target host as a response, or transmits the request to the root DNS server, which starts searching on DNS servers lower in the domain hierarchy. If the IP address can be found, then it is passed along the chain to the DNS server from which the search began, and that server sends a response to the program that formulated the original request. If the search fails, an error message is returned to the program.
Since programs often access the same domains multiple times, their addresses are stored nearby – in the hosts file, the local DNS settings file. In the absence of the required address, the request is sent to the local DNS server within the network, where the address is searched in the cache memory, then to the local DNS server of the Internet provider, and so on.
The problem of reverse lookup is solved in a similar way, when its domain name is searched for by the IP address of an Internet host. This search is used, in particular, in e-mail systems.
Another important option request – to add or modify the information contained in the DNS. For example, for a site with a new domain name (something like newservername.com) to work, you need to register it, make the necessary settings, and specify the IP addresses of DNS servers that “know” where the new site is located. It will take some time for the information about the new domain name to become known to the entire Internet and for the new site to work – usually 24 hours.
Very often, site owners prefer not to keep DNS servers on their own, but to place them on third-party hosting sites – this allows increasing the availability of sites. To minimize risks, site owners use the services of several hosting providers: if suddenly the DNS server at one of the sites is unavailable, the path to the site will be “pointed” by the DNS servers located at other sites.
Note that more advanced DNS server hosting providers such as StormWall, in addition to hosting itself, also provide DNS protection against attacks.
DNS Zones
The entire DNS namespace is divided into zones, which are the responsibility of certain DNS servers or groups of DNS servers. Responsible (or authorized) DNS servers can perform requests within their zones. If you think of the entire DNS structure as a tree of domain names, then a zone is, in fact, a part of this tree, which is stored on the responsible DNS server.
It should be noted that not all DNS servers are responsible, some of them do not contain zone configurations and perform only caching functions, helping to reduce the traffic of client requests, and redirecting requests that could not be resolved in this node to upstream DNS servers.
Depending on what kind of search can be carried out within the zone (IP addresses by domain name, or, conversely, domain name by IP address), it is customary to separate forward lookup zones and reverse lookup zones.
Protecting DNS servers from attacks
DNS servers are often attacked, and their results are quite painful for the owners of Internet resources. Thus, attacks on the vulnerabilities of DNS servers can lead not only to a loss of performance, but also to distortion of the information stored on them, for example, replacing old IP addresses with new ones (DNS spoofing), as a result of which users, instead of the site they need, will end up on a resource controlled by an attacker.
The main consequence of DDoS attacks on DNS servers is that they are inaccessible to users. And since DNS servers stop serving useful external requests, the sites behind them also become inaccessible. In this case, the owners suffer both material losses (lost profits, claims of dissatisfied customers, a decrease in their loyalty and churn), and reputational (a wave of negativity in the media and social networks). Unfortunately, repelling DDoS attacks on DNS servers turns out to be very difficult due to the fact that many attacks are carried out using the UDP protocol, which has many vulnerabilities.
The most common types of DDoS attacks on DNS servers are as follows:
- Simple DNS flood – generating a powerful stream of requests to the DNS server in order to create an excessive load on the DNS server. Typically, a relatively small botnet is enough to create a stream sufficient for a successful attack.
- DNS reflection attack is based on the fact that the response to a DNS request is several times longer than the request itself. To attack the targeted DNS server, DNS requests are sent to one or more other DNS servers, in which the victim’s IP address is indicated instead of the source IP address. As a result, a stream of DNS responses falls on it, analyzing which a significant part of the victim’s server performance is spent – up to a complete denial of service.
- DNS amplification, or DNS amplification attack, is a type of DNS reflection attack that exploits vulnerabilities in DNS servers. Through a series of manipulations using DNS servers that use recursive request processing, the request length increases by 30-60 times or more. Thus, an attacker using a network of bots that send false requests to recursive servers is able to create a very powerful stream of false requests to the victim’s DNS server.
In order to minimize the risks of attacks on the DNS and increase the integrity and reliability of the data stored in it, security and protection tools are built into the DNS servers: DNSSEC, TSIG, DANE, etc.
In addition, the following steps are recommended:
- Ensure that DNS servers are running on dedicated physical servers of sufficient capacity. It is advisable to place them in different data centers that belong to different network segments and have several routes.
- Provide regular updates to DNS server software.
- Restrict access to DNS servers with administrator rights to a narrow circle of people, and only from within the network or through a VPN.
- “Close” processing of unused network protocols and services on the server.
- Disable recursive request processing on DNS servers.
- Disallow dynamic updates of DNS zones.
- Provide protection against spoofing by configuring.
- Cancel additional lookup of DNS servers’ IP addresses.
- Disable transfer of domain zones to your DNS servers.
- Disable all other functions of DNS servers that are not currently in use.
- Ensure that DNS servers are regularly scanned for known vulnerabilities.
- Connect in advance the service of preliminary filtering of traffic directed to DNS servers, with automatic inclusion of reflection of attacks on DNS.
To prevent a powerful DDoS attack on DNS servers from taking you by surprise, you should have a plan in advance for what you will do once it starts, as well as a disaster recovery plan if your DNS servers are out of service. Of course, it is also necessary to ensure that IT professionals are regularly trained and know what to do if the attack on a DNS server occurs.