Ready to Start Your Career?

A Decentralized Model: The Ultimate Solution for DNS Security?

chiheb chebbi's profile image

By: chiheb chebbi

July 10, 2017

DNS Definition:The Domain Name System (DNS) was invented by Paul V. Mockapetris an American computer scientist and Internet pioneer in 1983 with the help of Jon Postel. The aim of DNS is making retaining addresses easier by providing a naming structure using names rather than a long sequence of numbers. Remembering is much easier than remembering "". Before then, addresses at ARPANET were linked to host names using a huge file hosts.txtHow DNS works?
  For more information about how DNS works just check this cool explanation Protocol:The DNS specifications pertain to RFC 1034 and RFC 1035. According to the Internet Systems Consortium, there are many other RFCs that are related to DNS like:
  • Bgnd – Background information on DNS
  • Prot – Describes protocol elements of DNS (excluding wire format of resource records, but including general operation)
  • Names – Information about valid DNS names
  • Ops – Recommendations for DNS operations
  • RR – Definitions of resource records
  • Proxy – Standards for DNS proxies
  • Stub – Standards for stub resolvers
  • Auth – Standards for authoritative servers
  • Res – Standards for recursive resolvers
  • Xfr – Defines the full (AXFR) and incremental (IXFR) transfer protocol.
  • DDNS – Dynamic DNS
  • DNSSEC – DNSSEC-related RFCs
 The DNS protocol FieldsTo avoid a single point of failure and assure a faster transfer of information, DNS is designed as a distributed storage system. In other words, DNS data is distributed across many servers in a hierarchical organization to avoid name conflicts.There are 13 Root domain names around the world.
A fully Qualified Domain Name (FQDN) format is the following: <host_name>.<Domain_name> DNS Zone: A domain data and its subdomains is a DNS zoneDNS Delegation: The parent domain can delegate responsibility to a subdomainDNS Client: A web browser for example to use a domain nameDNS Server: A server to store DNS Data and serves requests for the client.DNS Cache: A DNS server without any authoritative names. (Can't manage information about a domain)DNS Resolver: to manage DNS queries.Reverse queries: IP -> NameForward queries: Name -> IPZone Transfer is the process of copying files from Master servers to Slave ServersTo test a zone transfer you can use host utility:
DNS Attacks DNS is a prime target for many attacks, malicious activities, and vulnerabilities:
  • Single Point of Failure: it happens when we use a single server at a single site
Attack Study case 1: How, Why Microsoft Went Down
  • Man In the Middle Attacks: refers to the fact that an attacker can intercept the traffic or redirects it without the knowledge of the victim.
Attack Study case 2: Man-in-the-middle case: Mumbai firm loses Rs 10.89 lakh to online fraudster 
  • DNS Cache Poisoning: refers to the act of redirecting the traffic of users of a server from legitimate servers and towards fake ones
Attack Study case 3: Google's Malaysian Domains Hit with DNS Cache Poisoning Attack 
  • Kaminsky DNS Vulnerability: This vulnerability could allow an attacker to redirect network clients to alternate servers of his own choosing, presumably for ill ends.
Attack Study case 4: An Illustrated Guide to the Kaminsky DNS Vulnerability 
  • Dynamic DNS (DDNS): used by malware to avoid detection by changing the address quickly
  • Distributed Denial of Service (DDoS) attacks: this attack occurs when multiple systems flood the bandwidth or resources of a targeted system
Attack study case 5: A massive DDOS attack against Dyn DNS is causing havoc online Prevention:There are many ways to defend against DNS attacks; first monitoring data and backups is very important including logs and network traffic. Also, Caching Acceleration and high availability are good strategies to avoid many types of threats. DNSSECDNSSEC (RFC 3757) are security extensions added to DNS protocol.The aim of DNS sec is to maintain data authentication and integrity.In 2005 NSEC (DNS Resolvers use NSEC records to verify the non-existence of a record name) was replaced by NSEC3. DNSchain
By definition according to Rohit Khare. "A decentralized system is one which requires multiple parties to make their own independent decisions" In such a decentralized system, there is no single centralized authority that makes decisions on behalf of all the parties.Blockchain technology could be a great opportunity and an amazing solution for DNS security threats for many reasons;There is no need to use a 3rd party or an intermediary. No more Man in the Middle and DDoS attacks, all thanks to the established trust between a given user and a server in addition to avoiding a central point of control. When it comes to Digital Certificates using blockchain is so much easier because the user will publish his own signed certificate. One of the most ambitious projects is DNSChain which is a free and secure decentralized DNS alternative created by okTurtles. The project can be cloned from this link: Thanks to the following table we can check the difference between the two models.
Schedule Demo