What Is DNS?
DNS, or Domain Name System, is an Internet system that is completely decentralized, and provides a capability to translate IP Addresses (example: 188.8.131.52) to a Domain Name (example: roguesecurity.ca). The DNS system is the reason that we don’t have to type in the ip address for the website that we wish to visit, and instead are able to type in a friendly domain name that is more representative of the website. Whether I enter the domain name in my address bar, or the ip address for google.ca, I’ll be taken to the same website.
Many medium and large businesses operate their own DNS servers on their own network, but most small businesses and individuals rely on downstream DNS servers that may be owned by their Internet Service Provider (ISP) or perhaps they are using one of the many open DNS providers such as Google Public DNS.
How Does DNS Work?
Without going into too much detail, a DNS request is fairly simple.
- You enter a domain name, roguesecurity.ca, into the address bar of your web browser, and hit Enter.
- A request is sent to your designated DNS server with the domain, asking for details on the ip address.
- The DNS server receives the request and looks up the domain name in its table of information.
- If the DNS server finds a matching domain name, it sends the ip address of the domain back to your browser, which your browser uses to actually connect to the website.
4a. If the DNS server is unable to find a matching domain name, or isn’t able to find an ip address, it will respond with an error.
DNS Cache: Our devices keep a history of DNS requests that we make in order to save some work when we revisit a website that you’ve previously visited. The DNS cache updates once in a while to make sure that you have the latest information, and can be emptied manually.
How Is DNS Attacked?
DNS, like most software, has vulnerabilities, exploits, and can cause issues when used inappropriately. DNS itself has existed since the 1980’s and even though it’s received numerous updates over the years, the underlying concepts really haven’t changed much. This has given people more time to understand the Domain Name System, and as an important aspect of how the Internet operates, is a very commonly attacked protocol.
The most direct of DNS attacks is when a cyber criminal gains access to your DNS server directly. However, it’s quite common to see host-based attacks on your local devices that include Cache Poisoning (aka Cache Spoofing). This is one of the most common types of DNS attacks and involves an attacker injecting malicious data into your devices DNS cache. If an attacker replaces the ip address of roguesecurity.ca in my local DNS cache with an ip address that connects to a malicious website, then every time I go to roguesecurity.ca I’ll be taken to the malicious website instead.
The Domain Name System can also be used to steal data. Let me explain. We know that we send a domain name each time that we send a request to a DNS server. DNS queries are simply strings, and strings can include data, including encoded data. DNS Tunneling is where an attacker includes data, either plain-text or encoded, in what appear to be normal looking DNS requests. The attacker needs to get these queries so this may also involve gaining access to an internal DNS server or modifying local DNS.
DNS servers are also perfect for generating DDOS attacks via DNS Flooding or NXDomain attacks. In these instances an attacker floods a DNS server with requests, or generates a large number of invalid requests in order to overwhelm the server with the goal of bringing it offline.
Use a Trusted Provider
The best protection from DNS-based attacks is to use a secure DNS provider that you trust. Google and Cloudflare are two companies that offer free DNS services to the general public, and are quite reliable.
Most home users can’t afford and don’t need their own DNS server, but perhaps you have children and you like the idea of some extra security. That’s where Pi-hole comes in. Pi-hole is a software that acts as a DNS sinkhole and can be used to protect devices on your network from unwanted content, block ads, and even manage network device access.
Pi-hole originated on the Raspberry Pi, but can be installed on most Linux distributions.