Question

in order to destroy a DNS server what kind of attack can you propose? discuss possible protections to your proposals

Answer 1

DNS server what kind of attack :

DNS Cache Poisoning Attacks

DNS cache poisoning occurs when an attacker sends falsified and usually spoofed RR information to a DNS resolver. Once the DNS resolver receives the falsified RR information, it is stored in the DNS cache for the lifetime (Time To Live [TTL]) set in the RR. To exploit this flaw in the DNS resolver implementation so it will store the falsified information, an attacker must be able to correctly predict the DNS transaction identifier (TXID) and the UDP source port for the DNS query (request) message. Attackers use this exploitation technique to redirect users from legitimate sites to malicious sites or to inform the DNS resolver to use a malicious name server (NS) that is providing RR information used for malicious activities.

DNS Amplification and Reflection Attacks

DNS amplification and reflection attacks use DNS open resolvers to increase the volume of attacks and to hide the true source of an attack, actions that typically result in a DoS or DDoS attack. These attacks are possible because the open resolver will respond to queries from anyone asking a question. Attackers use these DNS open resolvers for malicious activities by sending DNS messages to the open resolvers using a forged source IP address that is the target for the attack. When the open resolvers receive the spoofed DNS query messages, they respond by sending DNS response messages to the target address. Attacks of these types use multiple DNS open resolvers so the effects on the target devices are magnified.

Resource Utilization Attacks

Resource utilization attacks on DNS open resolvers consume resources on the device. Examples of such resources include CPU, memory, and socket buffers. These types of attacks try to consume all available resources to negatively impact operations of the open resolver. The impact of these attacks may require the device to be rebooted or a service to be stopped and restarted.

possible protections :

Multiple vendors have products that implement the DNS protocol and that can be configured as a DNS open resolver intentionally or unintentionally. A configured open resolver exposed to the Internet allows anyone to send DNS queries to the resolver. The examples that follow are configurations for some vendor products that are broadly deployed throughout the Internet. These example configurations show how to prevent a DNS server from acting as an open resolver.

Berkeley Internet Name Domain

Berkeley Internet Name Domain (BIND), a software product of Internet Systems Consortium, Inc., implements the DNS protocol that is discussed in this document. The following configurations can be applied to BIND so that the DNS server is prevented from acting as an open resolver. These configurations are applied in the 'named.conf' configuration file.

* Use the latest DNS software and ensure patches are applied. The Internet Systems Consortium (ISC) also regularly issues updates and patches for Berkley Internet Name Domain (BIND), the most widely used DNS server. BIND is thought to deliver an excellent balance between speed and security, ease of administration and robustness, and RFC standards integration and universal applicability. But BIND is also the most attacked DNS server, so businesses need to run the latest version to protect against security flaws.

* Segregate Authoritative and Caching/Recursive functions within the DNS server, as recommended by ICANN. Authoritative servers should only accept queries they can answer authoritatively and have recursive disabled. This helps to prevent the Recursive Name Server Reflection Attacks common in DDoS attacks.

This is particularly critical with BIND, where key authoritative and recursive functions are contained within the same code in a single DNS engine. By incorporating a second DNS engine in the same appliance with separate authoritative and recursive functions, you can significantly increase the security and reliability of critical DNS services. For instance, use an alternative DNS engine such as Unbound and NSD. Unbound is a validating, recursive and caching DNS resolver that is designed for high performance, while NSD is an authoritative-only, high-performance name server.

* Eliminate Single Points of Failure. To mitigate the effects of zero-day attacks and ensure that you won’t be vulnerable to a full-on DoS attack, best practices suggest using a hybrid DNS strategy. A hybrid strategy helpsmake DNS security footprints baffling to hackers by running a different type of algorithm for each DNS engine. When a new security alert is issued, a network owner can quickly and temporarily switch to another engine. The alternative engine can remain in place while DNS programmers patch, test and validate a security upgrade for the first engine. Plus, with multiple DNS engines in place, hackers will never be sure which name server software is running—making the task of analyzing DNS network packet footprints to discover its vulnerabilities quite complex and virtually impossible.

* Architect for Redundancy and Security. As part of best practice deployment, selecting the appropriate DNS architecture for your company’s environment is very important. Deployment strategies should always include high availability and built-in mechanisms for easy recovery in the event of a disaster.

* Implement a DNS Firewall. Protect against DNS-based malware by using DNS Firewalls to block workstations from reaching malicious sites. At the same time, the DNS Firewall can protect against initial infection by placing the infected user in a Walled Garden so the system administrator can be notified that a user may be infected.

* Implement a high-performing DNS to absorb DDoS attacks. During a DDoS attack, the hacker tries to kill the DNS server or corrupt the DNS Cache so some queries will not be answered. Using DNS Queries filtering to combat this isn’t recommended because doing so opens security holes. Instead, make sure your DNS infrastructure has the capability to always answer all DNS queries.

With the rise in mobile, cloud solutions and Internet-connected devices, not only will DNS attacks become ever-more prevalent and complex, they will directly impact companies’ core business. Bearing in mind that the best defense is a great offense, now is the time to deploy best practices and technologies that can keep you several steps ahead of the attackers, mitigate the impacts of DNS attacks, and ensure your network is up for the challenge.

EfficientIP, a fastest-growing DDI vendor, helps organizations drive business efficiency and continuity through enhanced network services availability, security and performance. Its unified management framework for DNS, DHCP & IPAM devices and network configurations are used by customers around the world to reduce operating costs and increase management efficiency of network and security teams.