A Decentralized Model: The Ultimate Solution for DNS Security?

July 10, 2017 | Views: 3155

Begin Learning Cyber Security for FREE Now!

FREE REGISTRATIONAlready a Member Login Here

DNS Definition:

The Domain Name System (DNS) was invented by Paul V. Mockapetris an American computer scientist and Internet pioneer in 1983 with the help of Jon Postel. The aim of DNS is making retaining addresses easier by providing a naming structure using names rather than a long sequence of numbers. Remembering www.icann.org is much easier than remembering “192.0.32.7”. Before then, addresses at ARPANET were linked to host names using a huge file hosts.txt

How DNS works?

 

 

For more information about how DNS works just check this cool explanation https://howdns.works/ep1/

DNS Protocol:

The DNS specifications pertain to RFC 1034 and RFC 1035. According to the Internet Systems Consortium, there are many other RFCs that are related to DNS like:

  • Bgnd – Background information on DNS
  • Prot – Describes protocol elements of DNS (excluding wire format of resource records, but including general operation)
  • Names – Information about valid DNS names
  • Ops – Recommendations for DNS operations
  • RR – Definitions of resource records
  • Proxy – Standards for DNS proxies
  • Stub – Standards for stub resolvers
  • Auth – Standards for authoritative servers
  • Res – Standards for recursive resolvers
  • Xfr – Defines the full (AXFR) and incremental (IXFR) transfer protocol.
  • DDNS – Dynamic DNS
  • DNSSEC – DNSSEC-related RFCs

 

 

The DNS protocol Fields

To avoid a single point of failure and assure a faster transfer of information, DNS is designed as a distributed storage system. In other words, DNS data is distributed across many servers in a hierarchical organization to avoid name conflicts.There are 13 Root domain names around the world.

A fully Qualified Domain Name (FQDN) format is the following: <host_name>.<Domain_name>

 

DNS Zone: A domain data and its subdomains is a DNS zone

DNS Delegation: The parent domain can delegate responsibility to a subdomain

DNS Client: A web browser for example to use a domain name

DNS Server: A server to store DNS Data and serves requests for the client.

DNS Cache: A DNS server without any authoritative names. (Can’t manage information about a domain)

DNS Resolver: to manage DNS queries.

Reverse queries: IP -> Name

Forward queries: Name -> IP

Zone Transfer is the process of copying files from Master servers to Slave Servers

To test a zone transfer you can use host utility:

DNS Attacks 

DNS is a prime target for many attacks, malicious activities, and vulnerabilities:

  • Single Point of Failure: it happens when we use a single server at a single site

Attack Study case 1: How, Why Microsoft Went Down

http://www.wired.com/2001/01/how-why-microsoft-went-down

  • Man In the Middle Attacks: refers to the fact that an attacker can intercept the traffic or redirects it without the knowledge of the victim.

Attack Study case 2: Man-in-the-middle case: Mumbai firm loses Rs 10.89 lakh to online fraudster

http://www.hindustantimes.com/mumbai-news/man-in-the-middle-case-mumbai-firm-loses-rs10-89-lakh-to-online-fraudster/story-xp3AcjLmnh0vAeY8rUIWYO.html

 

  • DNS Cache Poisoning: refers to the act of redirecting the traffic of users of a server from legitimate servers and towards fake ones

Attack Study case 3: Google’s Malaysian Domains Hit with DNS Cache Poisoning Attack

https://www.tripwire.com/state-of-security/latest-security-news/googles-malaysian-domains-hit-dns-cache-poisoning-attack/

 

  • Kaminsky DNS Vulnerability: This vulnerability could allow an attacker to redirect network clients to alternate servers of his own choosing, presumably for ill ends.

Attack Study case 4: An Illustrated Guide to the Kaminsky DNS Vulnerability

http://unixwiz.net/techtips/iguide-kaminsky-dns-vuln.html

 

  • Dynamic DNS (DDNS): used by malware to avoid detection by changing the address quickly

 

  • Distributed Denial of Service (DDoS) attacks: this attack occurs when multiple systems flood the bandwidth or resources of a targeted system

Attack study case 5: A massive DDOS attack against Dyn DNS is causing havoc online

https://thenextweb.com/security/2016/10/21/massive-ddos-attack-dyn-dns-causing-havoc-online/#.tnw_NAWxPkXR

 

Prevention:

There are many ways to defend against DNS attacks; first monitoring data and backups is very important including logs and network traffic. Also, Caching Acceleration and high availability are good strategies to avoid many types of threats.

 

DNSSEC

DNSSEC (RFC 3757) are security extensions added to DNS protocol.The aim of DNS sec is to maintain data authentication and integrity.In 2005 NSEC (DNS Resolvers use NSEC records to verify the non-existence of a record name) was replaced by NSEC3.

 

DNSchain

By definition according to Rohit Khare. “A decentralized system is one which requires multiple parties to make their own independent decisions” In such a decentralized system, there is no single centralized authority that makes decisions on behalf of all the parties.Blockchain technology could be a great opportunity and an amazing solution for DNS security threats for many reasons;

There is no need to use a 3rd party or an intermediary. No more Man in the Middle and DDoS attacks, all thanks to the established trust between a given user and a server in addition to avoiding a central point of control. When it comes to Digital Certificates using blockchain is so much easier because the user will publish his own signed certificate. One of the most ambitious projects is DNSChain which is a free and secure decentralized DNS alternative created by okTurtles. The project can be cloned from this link: https://github.com/okTurtles/dnschain Thanks to the following table we can check the difference between the two models.

References:

  • https://letstalkbitcoin.com/blog/post/security-in-decentralized-domain-name-systems
  • https://danielmiessler.com/study/dns/#gs.oZJNvWY

 

Share with Friends
FacebookTwitterGoogle+LinkedInEmail
Use Cybytes and
Tip the Author!
Join
Share with Friends
FacebookTwitterGoogle+LinkedInEmail
Ready to share your knowledge and expertise?
2 Comments
  1. keep going my man

  2. hawinou fou9 el 55 Cybytes :v cadeau

Comment on This

You must be logged in to post a comment.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Cybrary On The Go

Get the Cybrary app for Android for online and offline viewing of our lessons.

Get it on Google Play
 

Support Cybrary

Donate Here to Get This Month's Donor Badge

 
Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?

Continue
Cancel