The domain name system (DNS) first rose to fame during the early, innocent days of the internet, when trust and standardisation were assumed, and security was nothing more than an afterthought. Since the pool of users was so small and the internet was scarcely used, the importance of DNS as a core service was widely misunderstood and as a result, left somewhat underdeveloped and more importantly, unprotected.
Fast-forward to today and you can see the result of this initial naivety: an explosion of wide-spread complexity – DNS is now described by no less than 185 RFCs – and cyber criminals launching disruptive distributed denial of service (DDoS) attacks aimed at the DNS.
With malicious actors finding innovative ways to take down the DNS and the landscape growing more problematical, the stakes are high but the outcome remains simple: no functioning DNS, no website.
Past and present
Luckily, there are many gifted, dedicated individuals who make it their job to ensure that the protocol works for everyone, allowing for the smooth running of DNS.
Over the years, this protocol has grown in sophistication and many workaround’s have been put in place to guarantee that DNS can continue to function as part of a rapidly growing internet. However, encouraging server operators, application developers and network infrastructure vendors to update can be a slow process.
As a vital piece of the wider internet puzzle, a combination of protocol and product evolution have forced DNS to be pushed and pulled in various different directions. While requirements from operators work to pull DNS towards greater complications, implementers usually have to push back on such changes because they fear the associated risks.
In these cases, rather than supporting aging and non-compliant implementations, the workarounds end up allowing legacy behaviours and slowing down DNS performance for everyone. In a bit to solve these problems, vendors of DNS software, as well as large public DNS providers, are going to remove certain workarounds on February 1st, 2019, otherwise known as DNS Flag Day.
Flying the DNS Flag
After years of attempting to cover for broken implementations and protocol violations – resulting in delayed response times, high complexity and difficulty upgrading to new features – DNS Flag Day will put an end to the mass backing of many workarounds.
This change – which will affect sites that operate software that don’t follow published standards – means technology from DNS vendors will interpret domain timeouts as a sign of a network or server problem. Beginning in just three months’ time, this effectively means that all DNS servers which do not respond to extension mechanisms for DNS (EDNS) queries are going to be treated as dead.
Put simply, as of February 1st, some organisations could be left with a non-functioning domain. In many other cases, affected domains will be unable to support the latest security features and will become an easier target for network attackers.
DIY domain testing
As the old security saying goes, you’re only as strong as your weakest link. But, what if you could improve your strength posture by eliminating the weak links altogether?
The first thing organisations need to do in the run up to Flag Day is directly test their current domain, as well as their DNS servers. This can be done using the extension mechanism compliance tester, which will then provide businesses with a detailed technical report summarising either a failed, partially failed or successful test. Failures in these tests are caused by broken DNS software or broken firewall configuration, which can be remediated by upgrading DNS software to the latest stable version and re-testing. If the tests still fail, organisations will need to look further into their firewall configuration.
As well as carrying out the initial testing, businesses also need to use the next three months to get their domain ducks in a row. For organisations with multiple domains that are clustered on a single network and share a name server with many others, there is an increased chance that you will end up feeling the knock-on effect of someone else’s attack. For those using a third-party DNS provider, most attacks on the network won’t be aimed at you, but a domain sharing your provider puts you at greater risk.
The weakest link
With a fresh wave of potentially weak domains spanning the internet, there is even greater opportunity for cyber criminals to exploit the vast number of vulnerable DNS servers through numerous types of DDoS attacks.
DNS amplification is just one of these, with attackers using DNS to respond to any, and all, small look-up queries with a spoofed IP of the target. The target then receives much larger DNS responses that quickly overwhelms its capacity, with the goal of blocking legitimate DNS queries and exhausting an organisation’s network.
Another common type of attack is DNS floods, which are directed at the DNS servers hosting specific websites. These try to drain server-side assets (for instance, memory or CPU), with a barrage of UDP requests, generated by running scripts on compromised botnet machines.
We can also expect to see more Layer 7 (application layer) attacks, including those targeting DNS services with HTTP and HTTPS requests. These attacks are often designed to target applications in a way that mimics actual requests, which can make them particularly difficult to detect.
What’s to come?
Recognising that cyber-attacks aren’t going away any time soon, organisations are now spending a significant amount of time, money and resource on security. Today’s malicious online actors are able to focus on the results that they want and, in many cases, use the DNS to get there. Combined with misplaced priorities and the assumption that a variety of problems can be treated with just one or two types of technology, and the threat landscape has been left wide open.
While there is still a lot of work to be done when it comes to DNS, Flag Day is certainly a positive step in the right direction. It’s time businesses not only understand the critical role that DNS plays in the wider internet infrastructure, but that they got more aggressive with their approach to security. The Domain Name System should be the first step towards complete protection, acting as an initial line of defence for any communication attempting to enter or leave the network.
Steve De Jong, Engineer, Neustar
Image Credit: Mopic / Shutterstock