18 July 2016
Blogs by author: Tim Rooney, Diamond IP Product Management Director, BT.
In the first of three blogs on security, Tim Rooney lays out the facts about DNS and why it could be a weakness in your cyber defences.
What is DNS?
The domain name system (DNS) was invented thirty-three years ago to serve as the Internet directory. As you browse the Internet using your computer, tablet, mobile phone, or other device, you navigate by entering the names of various websites — typically ‘www’ addresses. But your device connects to the intended Internet destination by sending Internet Protocol (IP) data packets, which are addressed using IP addresses, not ‘www’ addresses. DNS provides the vital link when looking up ‘www’ addresses that people use, and translating them to IP addresses that devices use.
The basic concept of DNS is very simple: ask a question (the ‘www’ address) and get an answer (an IP address). But the mechanics involve a number of DNS entities, many of which lie outside of your organisation. And this could expose your network to security compromise.
The distributed nature of DNS.
By its very nature, the global Internet DNS system serves as a distributed data repository containing ‘www’ names (and other names of course, but let’s keep it simple) and corresponding IP address information. The distributed nature of DNS applies not only to the global geographic spread of DNS servers housing this repository, but also to the distribution of administration of the information published within the respective domains of this repository. Each organisation that wants an Internet presence obtains a domain name, e.g. ‘example.com’, under which its IT administrators publish www-to-IP address translation information in their DNS servers.
How it works.
When you enter a ‘www’ address in your browser, your device will issue a DNS query to your local DNS server, as configured by the administrator of your network. For example, your enterprise IT staff configures local DNS servers for your use when on the enterprise network, while your service provider operations team configures a local DNS server for your use when on broadband. Meanwhile, the wi-fi network administrator provides a local DNS server for use when on their wi-fi network.
Different servers, answering one DNS question.
The job of this local DNS server is to fetch the answer to your ‘www’ query on the Internet. If you want to browse to ‘www.example.com’, the local DNS server will first locate the DNS servers configured by the ‘example.com’ DNS administrators, then it will query one of these servers for the IP address corresponding to ‘www.example.com’.
The local DNS server locates the ‘example.com’ DNS servers by querying other DNS servers on the Internet, corresponding to your entered domain name. For example, it will query the Internet root DNS servers, which will refer to the ‘.com’ DNS servers, which will in turn refer to the ‘example.com’ DNS servers. Your single question for ‘www.example.com’ therefore generates three queries from the local DNS server to locate the information source, and to answer the question as illustrated in the figure below.
The local DNS server is generally referred to as a ‘recursive DNS server’, given its function of recursively querying other servers to track down an answer. Upon receiving an answer, the local DNS server will provide that answer back to your device, so your browser can connect to the corresponding IP address — 192.0.2.54 in this case. The local DNS server also caches this answer so, should another device on the network ask the same question, it may respond immediately without having to reissue the three Internet queries each time.
Why this raises security concerns.
Question asked, answer received. What can go wrong? A sufficiently paranoid security analyst may point out the following basic exposure points in this process:
- Your device could be misconfigured and attempt to contact an attacker’s local DNS server.
- The local DNS server could be misconfigured or hacked, rendering it unable to process queries, leaving name translation unavailable and thus the Internet unavailable.
- An Internet DNS server could be misconfigured or hacked, leaving it in a state of providing incorrect answers, possibly misdirecting device connections or rendering Internet connections unavailable.
- An imposter Internet DNS server could falsify, answer and redirect your device to an attacker website. And the local DNS server could provide this cached and falsified answer to other devices that attempt to connect.
And the threat could be amplified.
Now consider that a single web page likely contains numerous DNS names, requiring lookup to load images, videos, scripts, ads, and other resources. Your browser issues a query for each unique name, resulting in numerous queries of this sort for a single web page. So exposure to what can go wrong is amplified. And that exposure results merely from legitimate users making legitimate queries. Imagine an attacker has successfully installed malware on a device within your network.
And this malware uses DNS to locate its command and control centre for instructions and software updates, or to export retrieved corporate information.
How can you protect your devices, your DNS infrastructure and your network? Stay tuned for part two of this series to find out.
And to get more information on DNS and its security vulnerabilities, visit BT’s website.