E-guide

How to Prevent
DDoS Attacks by
Securing your DNS
 E-guide

In this e-guide 91% of enterprises who experienced a DDoS attack indicated

that one or more of the attacks completely saturated their
Distributed Denial of Service internet bandwidth, according to NETSCOUT’s 14th Annual
(DDoS) Attack p. 2
Worldwide Infrastructure Security Report.

DNS Security: Defending the Luckily, a secure DNS can help prevent DDoS attacks.
Domain Name System p. 7
In this guide, learn more about DDoS attacks and DNS security
Protecting the DNS protocol: including:
How DNSSEC can help p 25
• Types of DDoS attacks
Ways to solve DNS security • Common DNS security problems
issues in your organization
kkkkkkkkkkkkkkkkkkkkkkp. 28 • The DNS protocol: Domain Name System Security
Extensions (DNSSEC)
How DNS TXT records can be • Ways to solve DNS security issues in your organization
used against enterprises p. 32
• How to defend against malicious actors who abuse DNS
TXT records
About SearchSecurity p. 36

Page 1 of 36
 E-guide

In this e-guide
Distributed Denial of Service (DDoS)
Distributed Denial of Service Attack
(DDoS) Attack p. 2
Margaret Rouse, WhatIs.com
DNS Security: Defending the
A distributed denial-of-service (DDoS) attack is an attack in which multiple
Domain Name System p. 7
compromised computer systems attack a target, such as a server, website
or other network resource, and cause a denial of service for users of the
Protecting the DNS protocol:
targeted resource. The flood of incoming messages, connection requests or
How DNSSEC can help p 25
malformed packets to the target system forces it to slow down or even
crash and shut down, thereby denying service to legitimate users or
Ways to solve DNS security
systems.
issues in your organization
kkkkkkkkkkkkkkkkkkkkkkp. 28 DDoS attacks have been carried out by diverse threat actors, ranging from
individual criminal hackers to organized crime rings and government
How DNS TXT records can be agencies. In certain situations, often ones related to poor coding, missing
used against enterprises p. 32 patches or generally unstable systems, even legitimate requests to target
systems can result in DDoS-like results.
About SearchSecurity p. 36

Page 2 of 36
 E-guide

In this e-guide
How DDoS attacks work
Distributed Denial of Service In a typical DDoS attack, the assailant begins by exploiting a vulnerability in
(DDoS) Attack p. 2 one computer system and making it the DDoS master. The attack master
system identifies other vulnerable systems and gains control over them by
DNS Security: Defending the either infecting the systems with malware or through bypassing the
Domain Name System p. 7 authentication controls (i.e., guessing the default password on a widely used
system or device).
Protecting the DNS protocol:
How DNSSEC can help p 25 A computer or networked device under the control of an intruder is known
as a zombie, or bot. The attacker creates what is called a command-and-
Ways to solve DNS security control server to command the network of bots, also called a botnet. The
issues in your organization person in control of a botnet is sometimes referred to as the botmaster (that
kkkkkkkkkkkkkkkkkkkkkkp. 28 term has also historically been used to refer to the first system "recruited"
into a botnet because it is used to control the spread and activity of other
How DNS TXT records can be systems in the botnet).
used against enterprises p. 32
Botnets can be comprised of almost any number of bots; botnets with tens
or hundreds of thousands of nodes have become increasingly common, and
About SearchSecurity p. 36
there may not be an upper limit to their size. Once the botnet is assembled,
the attacker can use the traffic generated by the compromised devices to
flood the target domain and knock it offline.

Page 3 of 36
 E-guide

In this e-guide
Types of DDoS attacks
Distributed Denial of Service There are three types of DDoS attacks. Network-centric or volumetric
(DDoS) Attack p. 2 attacks overload a targeted resource by consuming available bandwidth
with packet floods. Protocol attacks target network layer or transport layer
DNS Security: Defending the protocols using flaws in the protocols to overwhelm targeted resources. And
Domain Name System p. 7 application layer attacks overload application services or databases with a
high volume of application calls. The inundation of packets at the target
Protecting the DNS protocol: causes a denial of service.
How DNSSEC can help p 25
While it is clear that the target of a DDoS attack is a victim, there can be
Ways to solve DNS security many other victims in a typical DDoS attack, including the owners of the
issues in your organization systems used to execute the attack. Although the owners of infected
kkkkkkkkkkkkkkkkkkkkkkp. 28 computers are typically unaware their systems have been compromised,
they are nevertheless likely to suffer a degradation of service during a DDoS
How DNS TXT records can be attack.
used against enterprises p. 32

About SearchSecurity p. 36 Internet of things and DDoS attacks

While the things comprising the internet of things (IoT) may be useful to
legitimate users, in some cases, they are even more helpful to DDoS
attackers. The devices connected to IoT include any appliance into which

Page 4 of 36
 E-guide

some computing and networking capacity has been built, and, all too often,
In this e-guide these devices are not designed with security in mind.

Distributed Denial of Service Devices connected to the IoT expose large attack surfaces and display
(DDoS) Attack p. 2 minimal attention to security best practices. For example, devices are often
shipped with hard-coded authentication credentials for system
DNS Security: Defending the administration, making it simple for attackers to log in to the devices. In
Domain Name System p. 7 some cases, the authentication credentials cannot be changed. Devices also
often ship without the capability to upgrade or patch device software,
Protecting the DNS protocol: further exposing them to attacks that leverage well-known vulnerabilities.
How DNSSEC can help p 25
Internet of things botnets are increasingly being used to wage massive
DDoS attacks. In 2016, the Mirai botnet was used to attack the domain name
Ways to solve DNS security
service provider Dyn, based in Manchester, N.H.; attack volumes were
issues in your organization
kkkkkkkkkkkkkkkkkkkkkkp. 28 measured at over 600 Gbps. Another late 2016 attack unleashed on OVH,
the French hosting firm, peaked at more than 1 Tbps.

How DNS TXT records can be

used against enterprises p. 32
DDoS defense and prevention
About SearchSecurity p. 36 DDoS attacks can create significant business risks with lasting effects.
Therefore, it is important for IT and security administrators and managers,
as well as their business executives, to understand the threats,
vulnerabilities and risks associated with DDoS attacks.

Page 5 of 36
 E-guide

Being on the receiving end of a DDoS attack is practically impossible to

In this e-guide prevent. However, the business impact of these attacks can be minimized
through some core information security practices, including performing
Distributed Denial of Service ongoing security assessments to look for -- and resolve -- denial of service-
(DDoS) Attack p. 2 related vulnerabilities and using network security controls, including services
from cloud-based vendors specializing in responding to DDoS attacks.
DNS Security: Defending the
Domain Name System p. 7 In addition, solid patch management practices, email phishing testing and
user awareness, and proactive network monitoring and alerting can help
Protecting the DNS protocol: minimize an organization's contribution to DDoS attacks across the internet.
How DNSSEC can help p 25

Next Article
Ways to solve DNS security
issues in your organization
kkkkkkkkkkkkkkkkkkkkkkp. 28

How DNS TXT records can be

used against enterprises p. 32

About SearchSecurity p. 36

Page 6 of 36
 E-guide

In this e-guide
DNS Security: Defending the Domain
Distributed Denial of Service Name System
(DDoS) Attack p. 2
Allan Liska and Geoffrey Stowe
DNS Security: Defending the
The following is an excerpt from DNS Security: Defending
Domain Name System p. 7
the Domain Name System by authors Allan Liska and
Geoffrey Stowe and published by Syngress. This section
Protecting the DNS protocol:
from chapter two explores the importance of DNS security
How DNSSEC can help p 25
and the common DNS security problems that plague
organizations.
Ways to solve DNS security
issues in your organization Ask any security professional what keeps her awake
kkkkkkkkkkkkkkkkkkkkkkp. 28 at night and you will most likely get a response about
protecting the organization against phishing attacks. Dive a little deeper and
How DNS TXT records can be she might express concerns about security challenges with BYOD (bring
used against enterprises p. 32 your own device) or worry over some of the web applications that network
users have access to, or that run on the organization's web site. After a few
About SearchSecurity p. 36 beers she might express concern about the fact that there are more alerts
than she can keep up with, or that she does not have a clear picture of
everything that is happening on the network.

Page 7 of 36
 E-guide

It is very rare that a discussion about security issues reaches the point
In this e-guide where DNS comes up as a topic. That seems like an odd statement to make
in a book about DNS security, but it tends to be true. Unless there has been
Distributed Denial of Service a recent breach in the news involving DNS, generally DNS does not come up
(DDoS) Attack p. 2 as a topic.

DNS Security: Defending the DNS is also one of the most outsourced services. Many organizations
Domain Name System p. 7 recognize that they do not have DNS expertise in-house so let their domain
registrar or another third party manage the organization's zones and only
Protecting the DNS protocol: run recursive DNS services internally (though, often even that is outsourced
How DNSSEC can help p 25 to the ISP providing connectivity to the organization). With little or no control
of the DNS infrastructure residing within the organization it is easy to see
Ways to solve DNS security how DNS can become an afterthought in security plans.
issues in your organization
kkkkkkkkkkkkkkkkkkkkkkp. 28 But, DNS security needs to be at the forefront of every discussion about
network security. DNS attacks are more common than most people realize
and failures in DNS security can be crippling to an organization. How much
How DNS TXT records can be
used against enterprises p. 32 money does an organization lose every hour that it is unreachable via email?
How about when a fully functioning web site is invisible to the Internet, or
worse visitors to a web site are redirected to a malicious web site? A 2014
About SearchSecurity p. 36
study done by Vanson Bourne found that 75% of organizations in the United
States and the United Kingdom had been impacted by a DNS attack and
49% had uncovered some sort of DNS-based attack in the previous 12

Page 8 of 36
 E-guide

months. So, DNS attacks are prevalent, but they are not necessarily getting
In this e-guide the attention they deserve.

Distributed Denial of Service DNS falls into a category of "utility protocols" that underpin communications
(DDoS) Attack p. 2 on the Internet. These are robust protocols that help keep traffic flowing and
servers talking and that most users do not know exist. Protocols like the
DNS Security: Defending the Border Gateway Protocol, Network Time Protocol, and of course DNS are
Domain Name System p. 7 critical to keeping the Internet up and running, but generally fall well outside
the purview of security teams. The administrators who do configure and
Protecting the DNS protocol: manage the systems that run these protocols do not usually think about the
How DNSSEC can help p 25 security concerns inherent in these protocols.

This lack of security insight combined with the relative obscurity of these
Ways to solve DNS security
protocols makes them ripe for potential exploitation and hackers have
issues in your organization
kkkkkkkkkkkkkkkkkkkkkkp. 28 figured that out. The result of this perceived utility is that within the black hat
community there has been a sizeable increase in exploitation and
vulnerability research in these protocols. There has also been a lot of
How DNS TXT records can be
used against enterprises p. 32 research done by the security community into ways to better protect these
protocols. Unfortunately, there is a big gap between the work done by
researchers and the people who handle the day-to-day administration of
About SearchSecurity p. 36
these protocols.

A prime example of this is with DNSSEC (discussed in detail in Chapter 10).

RFC 3833, which introduced a way to better secure DNS infrastructure, was
first released in 2004. Even in 2016 very few domain names have added

Page 9 of 36
 E-guide

DNSSEC signing to their zone file and many domain registrars still do not
In this e-guide support it.

Distributed Denial of Service In the end DNS security is important because a failure in DNS can render an
(DDoS) Attack p. 2 organization completely unreachable and because attackers are actively
looking for new ways to exploit the DNS protocol and the DNS infrastructure
DNS Security: Defending the itself. Understanding key issues in DNS security is critical to maintaining a
Domain Name System p. 7 strong security posture within an organization.

Protecting the DNS protocol:

How DNSSEC can help p 25 Common DNS security problems
Before a security team can effectively protect an organization's DNS
Ways to solve DNS security
infrastructure they must first determine what the risks to its DNS
issues in your organization
kkkkkkkkkkkkkkkkkkkkkkp. 28
infrastructure are. When performing a risk assessment of a DNS
infrastructure it is important to take a very broad view of what constitutes a
security risk. The goal of a DNS security plan is to make sure the DNS
How DNS TXT records can be
used against enterprises p. 32
infrastructure is available as much as possible and that the proper
information is propagated to machines making queries.

About SearchSecurity p. 36 Based on the definition above, anything that impacts availability or causes
faulty data to be disseminated could be considered a security breach. Some
would consider this definition problematic because it expands the definition
of security beyond its traditional meaning. However, given the importance of

Page 10 of 36
 E-guide

DNS to an organization an expanded definition of security is reasonable and,

In this e-guide arguably, essential.

Distributed Denial of Service One of the reasons an expanded definition of DNS security is essential is
(DDoS) Attack p. 2 that there are so many points of security failure within a DNS framework. In
addition to failures traditionally associated with data security such as
DNS Security: Defending the hardware failure, unauthorized server access, and DDoS attacks, there are
Domain Name System p. 7 also registrar administrative issues, sleazy marketing, and other types of
security breaches unique to DNS. The distributed nature of DNS
Protecting the DNS protocol: automatically requires a different set of security concerns and adds a layer
How DNSSEC can help p 25 of complexity to security plans.

Here is an all-too-common example of the unique problems facing anyone

Ways to solve DNS security
attempting to secure a DNS infrastructure: It is Monday, everyone stumbles
issues in your organization
kkkkkkkkkkkkkkkkkkkkkkp. 28 into the office and realizes that they cannot check mail, the corporate web
site is also unreachable. Internet connectivity is fine, and people are able to
send mail and access other web sites. The DNS administrator is asked
How DNS TXT records can be
used against enterprises p. 32 (usually frantically) to fix the DNS problem. But the DNS servers are working
fine. Both the primary and secondary servers are responding as expected,
data has not been changed and there is no sign of unauthorized access.
About SearchSecurity p. 36

The DNS administrator spends all morning attempting to determine the

problem. She checks and rechecks system settings, verifies that DNS
information has not been altered with the registrar searches various DNS
web sites all to no avail. Finally, she posts a description of the problem to a

Page 11 of 36
 E-guide

DNS-related mailing list. Within a few minutes someone replies with output
In this e-guide of who is data and points out that the domain name has expired. Shaking her
head in disbelief the administrator contacts the accounting department to
Distributed Denial of Service find out if they received a bill from the registrar and if they did, had the bill
(DDoS) Attack p. 2 been paid? The accounting department says that the bill was never
received. Further investigation shows that the billing point of contact that
DNS Security: Defending the the registrar has on file left the company 8 months ago, so the renewal
Domain Name System p. 7 notice was sent to a nonexistent email account and the domain registrar
does not have an effective method to deal with bounced emails.
Protecting the DNS protocol:
How DNSSEC can help p 25 The example above, while somewhat exaggerated is not too far from the
truth. Many a large company has been crippled because someone in the
Ways to solve DNS security accounting department did not pay the registrar bill on time. The example
issues in your organization above also does not advise on the possibility that someone is waiting to
kkkkkkkkkkkkkkkkkkkkkkp. 28 squat on the domain is a payment is missed and registration expires. Image
the embarrassment a company would have to go through if their domain was
How DNS TXT records can be purchased out from underneath their noses. Ensuring that bills are paid on
used against enterprises p. 32 time would not normally qualify as a security issue, but in this case it
certainly could be considered an aspect of availability: If an organization
About SearchSecurity p. 36 does not make sure the registrar is paid in a timely fashion the domain can
be removed from the root servers and no one will be able to access the
domain.

Page 12 of 36
 E-guide

Even after the bill has been paid and the registrar has reinstated the domain,
In this e-guide it can take up to 48 hours before the domain is again available to the
Internet. In other words, this type of mistake can result in an outage that
Distributed Denial of Service lasts several days - and there is not anything that can be done to speed up
(DDoS) Attack p. 2 the process. This is why it is important to consider all aspects of availability
when developing a DNS security plan.
DNS Security: Defending the
Domain Name System p. 7 Taking a broad view of security, a DNS security event is anything that
impacts the availability of the DNS service, whether that is an internal or an
Protecting the DNS protocol: external event. An internal event is one that is caused by an employee or a
How DNSSEC can help p 25 contractor of the organization, regardless of whether or not the event is
accidental or intentional.
Ways to solve DNS security
This is important to remember: a security breach does not necessarily have
issues in your organization
kkkkkkkkkkkkkkkkkkkkkkp. 28 to be intentional. An administrator who enters an incorrect IP Address or
accidentally deletes an important file has still created a security situation.
These type of events need to planned for with as much concern as hostile
How DNS TXT records can be
used against enterprises p. 32 events.

Internal nonhostile events can include a mistaken entry in a zone file,

About SearchSecurity p. 36 misconfigured ACLs, firewall rules which prevent access to DNS or grant
more access than desired, deleting zone files, and of course not renewing a
domain name in a timely fashion.

Page 13 of 36
 E-guide

Internal events can also be hostile. A disgruntled employee might redirect

In this e-guide the organization's web site, might attempt to disrupt mail service by
removing entries, may change domain contact information so he is listed as
Distributed Denial of Service the authority over the domain, or may remove a zone file completely,
(DDoS) Attack p. 2 wreaking havoc within the network. Each of these problems can be
prevented if the right checks are put in place. Again, once potential attack
DNS Security: Defending the vectors are known it is easier to prepare for them, and in the case of internal
Domain Name System p. 7 attacks implementing stronger DNS processes goes a long way toward
limiting the problem.
Protecting the DNS protocol:
How DNSSEC can help p 25 External security breaches are another matter; it is very rare that an external
breach will be accidental. Most external attacks against DNS servers are
Ways to solve DNS security either an instance where an organization is specifically targeted or they are
issues in your organization random. A random attack occurs when an attacker is scanning a range of IP
kkkkkkkkkkkkkkkkkkkkkkp. 28 Addresses and encounters a DNS server with a known vulnerability. The
attacker will launch an attack against that server and attempt to gain access
How DNS TXT records can be not because the attacker has a particular grudge against the organization,
used against enterprises p. 32 but simply because it is possible. Note, an attack can be targeted and still
have collateral damage. For example, in 2012 a hacker going by the name
About SearchSecurity p. 36 AnonymousOwn3r launched a DDoS attack against Domain Registrar. The
DDoS attack not only rendered GoDaddy's web site unreachable it also
impacted the ability of GoDaddy's authoritative DNS servers to respond to
queries. Degrading the service of GoDaddy's customers - who were not the
intended target.

Page 14 of 36
 E-guide

Random attacks are relatively easy to defend against. Most script kiddies do
In this e-guide not have the depth of knowledge required to launch a serious attack against
a well-protected DNS infrastructure, so they will generally bypass those and
Distributed Denial of Service focus on DNS infrastructures with weaker security measures in place. In
(DDoS) Attack p. 2 many ways it is the same as car thieves. Someone just looking for a joyride
will focus on the easiest car to grab - one that is unlocked or with a weak
DNS Security: Defending the alarm system. On the other hand, a skilled car thief has a greater knowledge
Domain Name System p. 7 of cars and will know how to defeat the security precautions of the car he
wants.
Protecting the DNS protocol:
How DNSSEC can help p 25 A script kiddie is a lot like a joyriding car thief. Of course as anyone who has
had his or her car stolen knows, even a novice car thief can inflict a great
Ways to solve DNS security deal of damage - especially if it is your car stolen. Likewise, just because a
issues in your organization script kiddie is not sophisticated technically does not make the damage
kkkkkkkkkkkkkkkkkkkkkkp. 28 inflicted any less painful.

It is important to do everything possible to keep a DNS infrastructure safe

How DNS TXT records can be
used against enterprises p. 32 from common script kiddie attacks. At the same time DNS administrators
must remain watchful for more skilled attackers.

About SearchSecurity p. 36 A skilled attacker is more likely to target a specific organization for attack.
The attacker may have a grudge against a company, hope to gain access to
sensitive data for personal gain, or even be paid by a rival organization.

Page 15 of 36
 E-guide

Two important qualities that good DNS administrators share are vigilance
In this e-guide and paranoia; actually, all security administrators share those qualities. As
the saying goes, "Just because you are paranoid doesn't mean they are not
Distributed Denial of Service out to get you." Initially, it is often difficult to distinguish between an attack
(DDoS) Attack p. 2 launched by a skilled attacker and one launched by a novice, an experienced
administrator will be able to quickly determine the difference and act
DNS Security: Defending the appropriately.
Domain Name System p. 7
A targeted DNS attack can take many forms, depending on the intention of
Protecting the DNS protocol: the attacker. If the intention of the attacker is to redirect DNS services away
How DNSSEC can help p 25 from an organization, then the attacker may not even target that
organization's DNS servers directly. In fact, if an attacker wants to take over
Ways to solve DNS security a domain - also known as domain hijacking a direct attack against an
issues in your organization organization's DNS servers is often the last resort.
kkkkkkkkkkkkkkkkkkkkkkp. 28
A domain hijacker will take advantage of weak DNS security practices within
an organization or that organization's registrar to assume ownership of a
How DNS TXT records can be
used against enterprises p. 32 domain name. Generally, this involves some sort of social engineering. Social
engineering is a form of attack that involves manipulating people rather than
data. An attacker will take advantage of the willingness of people to share
About SearchSecurity p. 36
information, even if that information is sensitive.

There are several types of domain hijacking scenarios, and again, these
scenarios may not even involve dealing directly with the organization whose
domain the hijacker is trying to take over. One way to do hijack a domain is

Page 16 of 36
 E-guide

to look for one that was registered using a now-defunct mailing address
In this e-guide from a free-mail account. The hijacker reactivates the defunct address and
uses it to change the password and contact information for domain. In
Distributed Denial of Service effect, the hijacker assumes ownership of the domain.
(DDoS) Attack p. 2
A second type of hijacking revolves around getting information from the
DNS Security: Defending the domain registrar directly, and this is where social engineering really comes
Domain Name System p. 7 into play. A hijacker calls up a registrar and claims to be the administrator for
a domain. The hijacker presents the registrar with a plausible crisis. Perhaps
Protecting the DNS protocol: she explains that the company that is hosting her organization's mail servers
How DNSSEC can help p 25 has abruptly shut down, leaving them without access to their mail. She has
signed up with a new company, but she needs to update her domain
Ways to solve DNS security information and she cannot remember her password to the registrar's
issues in your organization control panel.
kkkkkkkkkkkkkkkkkkkkkkp. 28
She would use the password-reset option, but obviously, with her mail
unavailable, she will not receive the new password. This is a real problem,
How DNS TXT records can be
used against enterprises p. 32 and the president of the company is calling her every 5 minutes demanding
to know what the status is and even threatening to fire her. Is not there any
way the registrar can reset the password over the phone - she will happily
About SearchSecurity p. 36
fax over a signed request on company letterhead?

At this point many support people will acquiesce and change the password
"this one time," over the phone. If the hijacker does encounter resistance at
this level, she will escalate it to a manager, sounding increasingly upset.

Page 17 of 36
 E-guide

Eventually, she finds someone who is willing to allow her to change the
In this e-guide password over the phone and now she has full control over the domain
without having to touch the target network.
Distributed Denial of Service
(DDoS) Attack p. 2 This ploy does not always work, but remember that the primary role of the
customer service person is to help people; therefore, they are naturally
DNS Security: Defending the inclined to aid a customer in trouble. A registrar that takes security seriously
Domain Name System p. 7 would have other methods of verifying the person's identity. It is important to
remember that registrars, like most service companies, depend on happy
Protecting the DNS protocol: customers for repeat and new business. If the person on the other end of
How DNSSEC can help p 25 the phone is really a distraught customer not changing the password may
result in a loss of business.
Ways to solve DNS security
Social engineering attacks are often the most difficult to defend against,
issues in your organization
kkkkkkkkkkkkkkkkkkkkkkp. 28 especially when an organization has to rely on a vendor to maintain the
same level of security. But even within an organization not all staff members
will have the same level of urgency when it comes to security, and even the
How DNS TXT records can be
used against enterprises p. 32 best security plans are useless if people within the organization do not
adhere to it.

About SearchSecurity p. 36 Other types of attacks involve more traditional, computer-based, methods of
aggression. These attacks generally serve to overwhelm a server making it
unreachable from the network, exploit weaknesses in the DNS daemon to
gain access to the server, or redirect traffic from its intended destination to
a server owned by the attacker.

Page 18 of 36
 E-guide

The first type of attack, overwhelming a server with requests making it

In this e-guide impossible to serve legitimate requests, is what is commonly referred to as a
DoS attack. The requests can be requests for DNS information, but they can
Distributed Denial of Service also be ICMP requests, or even another service that is housed on the server.
(DDoS) Attack p. 2
Because DNS uses the UDP as its primary method of communication, it is
DNS Security: Defending the especially susceptible to attacks. Unlike a Tranmission Control Protocol
Domain Name System p. 7 (TCP) packet, a UDP packet does not require a handshake to ensure that
there is good communication between the two hosts. This makes UDP-
Protecting the DNS protocol: based protocols especially susceptible to attack, because it is relatively
How DNSSEC can help p 25 trivial for an attacker to forge UDP packets. More importantly, it is trivial for
an attacker to forge hundreds, thousands, or even hundreds of thousands of
Ways to solve DNS security packets. Forged packets are sent to the target DNS server, they look like
issues in your organization legitimate requests, so the DNS server responds to all of them, filling up all
kkkkkkkkkkkkkkkkkkkkkkp. 28 available UDP sockets and preventing the server from responding to
legitimate requests.
How DNS TXT records can be
used against enterprises p. 32 An Internet Control Message Protocol (ICMP) DDoS attack uses the same
methodology. An attacker targets a server, but instead of launching DNS
packets against the server, he uses ICMP packets. These packets can all be
About SearchSecurity p. 36
launched from a single server or from multiple servers. Either way, the goal
is the same, overwhelm the DNS server and make it unresponsive to valid
requests from other hosts.

Page 19 of 36
 E-guide

If a DNS server has other services running on it then focusing on those other
In this e-guide services is also an option. It does not matter what service is targeted, the
important thing is to use up all of the available connections on the remote
Distributed Denial of Service server and make it unresponsive.
(DDoS) Attack p. 2
A second type of attack is one that takes advantage of a weakness in either
DNS Security: Defending the the DNS daemon or other software running on the server. The attacker
Domain Name System p. 7 exploits the weakness to gain administrative access to the server, once on
the server the attacker can either attempt to make further inroads into the
Protecting the DNS protocol: network or redirect DNS requests from users on the network to a rogue
How DNSSEC can help p 25 server controlled by the attacker.

An administrative compromise on a critical server, such as DNS servers, can

Ways to solve DNS security
be especially insidious because it allows an attacker to control parts of the
issues in your organization
kkkkkkkkkkkkkkkkkkkkkkp. 28 network and redirect traffic away from its intended destination. Security
precautions taken throughout the rest of the network become irrelevant,
because the attacker has access to everything.
How DNS TXT records can be
used against enterprises p. 32
Attacks involving administrative compromise can sometimes go undetected
for months. If an attacker is careful to cover her tracks properly and the
About SearchSecurity p. 36 server is poorly secured or monitored, then there is a good chance no one
will notice there is a problem. At least not until long after it is too late.

A third type of attack is not as common as it used to be, but it is still one that
can occur and therefore should be protected against. An attacker will load

Page 20 of 36
 E-guide

bogus information about a popular domain into a zone transfer, tricking

In this e-guide recursive servers into redirecting queries to the wrong location.

Distributed Denial of Service For example, an attacker may own the domain foo.com. When DNS servers
(DDoS) Attack p. 2 request information about foo.com, the attacker's server will also send bad
data for www.amazon.com. The information is embedded within the
DNS Security: Defending the legitimate request, so the receiving DNS server just accepts the data and
Domain Name System p. 7 shares it with users.

Note that the attacker's DNS server does not send a full zone transfer for
Protecting the DNS protocol:
the targeted domain, instead it generally sends a single record, most often
How DNSSEC can help p 25
an A record. The idea is to redirect traffic to a server owned by the attacker.
So, the attacker would set up a web site that mirrored the one at
Ways to solve DNS security
www.amazon.com, send the bad data along with requests for foo.com.
issues in your organization
kkkkkkkkkkkkkkkkkkkkkkp. 28 Compromised DNS servers would direct users toward the attacker's site
and the attacker would be able to gather credit card numbers and account
information from users who visit the bogus web site. Because the site would
How DNS TXT records can be
used against enterprises p. 32 be a mirror of Amazon's web site, users would not know what happened at
first, potentially giving the attacker a few weeks to exploit the gathered data.

About SearchSecurity p. 36 New exploits against popular DNS daemons are constantly being discovered
and reported. In addition to the exploits, new tools are released all the time
that automate the process of exploiting security holes in DNS software. The
confluence of these two trends creates a difficult situation for DNS
administrators. Just about anyone with a computer and the ability to

Page 21 of 36
 E-guide

decompress a program can launch an attack against a poorly protected, or

In this e-guide updated, DNS server. Because launching an elementary attack against a
DNS server is so easy, the need for a strong DNS security policy is critical to
Distributed Denial of Service any security plan.
(DDoS) Attack p. 2
In addition to a strong security policy, or more appropriately included as part
DNS Security: Defending the of a strong security policy, it is important to be aware of the latest DNS
Domain Name System p. 7 exploits and understand how they impact an organization's DNS
infrastructure. It is not enough to be aware of the exploit; DNS
Protecting the DNS protocol: administrators must understand how the exploit works, and what it does.
How DNSSEC can help p 25
Even if an exploit is not known to affect an existing DNS infrastructure - for
example, an exploit is listed as being applicable to Linux servers and your
Ways to solve DNS security
DNS servers are BSD based - it cannot hurt to test the exploit against those
issues in your organization
kkkkkkkkkkkkkkkkkkkkkkp. 28 DNS servers. Oftentimes, initial details of an exploit will be incomplete, so
further research is always warranted.

How DNS TXT records can be Of course, even when there are no known exploits it is usually a good idea to
used against enterprises p. 32
upgrade DNS servers as soon as possible after a patch is released. Any
patch should be thoroughly tested prior to upgrade, but patches generally
About SearchSecurity p. 36 are released to either protect against a security exploit or in anticipation of a
potential new security exploit.

Page 22 of 36
 E-guide

DNS Security: Defending the Domain Name System

In this e-guide
Authors: Allan Liska and Geoffrey Stowe
Learn more about DNS Security from publisher Syngress
Distributed Denial of Service
At checkout, use discount code PBTY25 for 25% off this and other Elsevier titles
(DDoS) Attack p. 2

Read an excerpt
DNS Security: Defending the
Domain Name System p. 7 Download the PDF of chapter two in full to learn more!

Protecting the DNS protocol:

How DNSSEC can help p 25
About the authors:

Ways to solve DNS security Allan Liska is a Consulting Systems Engineer at FireEye Inc. and an
issues in your organization "accidental" security expert. While Allan has always been good at breaking
kkkkkkkkkkkkkkkkkkkkkkp. 28 things, he got his start professionally working as a customer service
representative at GEnie Online Services (a long defunct early competitor to
How DNS TXT records can be AOL), where he would spend his off hours figuring out how users had gained
used against enterprises p. 32 unauthorized access to the system, booting them off, and letting the
developers know what needed to be patched. Unknowingly, this was leading
About SearchSecurity p. 36 him down the path of becoming a security professional. Since then he has
work at companies like UUNET, Symantec, and iSIGHT Partners helping
companies better secure their networks. He has also worked at Boeing trying
to break into that company’s networks. In addition to his time spent on both
sides of the security divide, Allan has written extensively on security including

Page 23 of 36
 E-guide

The Practice of Network Security and Building an Intelligence-Led Security

In this e-guide Program. He was also a contributing author to Apache Administrator's
Handbook.
Distributed Denial of Service
(DDoS) Attack p. 2 Geoffrey Stowe lives in San Francisco and is an Engineering Lead at Palantir
Technologies. His network security work has included vulnerability research,
DNS Security: Defending the reverse engineering, incident response and anomaly detection. There was a
Domain Name System p. 7 time when he could translate byte code to assembly without looking at a
manual. Geoff started Palantir’s commercial business in 2010 and built its first
Protecting the DNS protocol: platforms for distributed, large scale data analysis. He graduated from
How DNSSEC can help p 25 Dartmouth College with a degree in computer science.

DNS Security: Defending the Domain Name System

Ways to solve DNS security
issues in your organization
Reprinted with permission from Elsevier/Syngress, Copyright ©2016
kkkkkkkkkkkkkkkkkkkkkkp. 28

How DNS TXT records can be Next Article

used against enterprises p. 32

About SearchSecurity p. 36

Page 24 of 36
 E-guide

In this e-guide
Protecting the DNS protocol: How
Distributed Denial of Service DNSSEC can help
(DDoS) Attack p. 2
Karen Scarfone, Principal Consultant at Scarfone Cybersecurity
DNS Security: Defending the
Domain Name System p. 7
The DNS protocol was designed in the earliest days of the internet to allow
names to be used instead of IP addresses, like techtarget.com instead of
172.30.128.56. Unfortunately, security features were not built into the DNS
Protecting the DNS protocol:
protocol because security wasn't a concern at that time. Attackers have
How DNSSEC can help p 25
found many ways to take advantage of DNS by forging DNS responses and
otherwise tampering with DNS to cause victims to unknowingly be routed to
Ways to solve DNS security
the wrong destinations.
issues in your organization
kkkkkkkkkkkkkkkkkkkkkkp. 28
The Domain Name System Security Extensions (DNSSEC) were developed
as an add-on to the DNS protocol to stop these types of threats. Basically,
How DNS TXT records can be DNSSEC adds digital signatures to DNS responses. With DNSSEC, when a
used against enterprises p. 32
computer sends a DNS query and gets a response back, the computer first
verifies the digital signature in the response to make sure it is legitimate and
About SearchSecurity p. 36 hasn't been tampered with.

Page 25 of 36
 E-guide

In this e-guide
DNS security in the DNS protocol: Simple, except …
Distributed Denial of Service At its core, DNSSEC is a simple concept -- but implementing it is far more
(DDoS) Attack p. 2 complicated. It relies on all the keepers of DNS records implementing and
maintaining public key cryptography and DNSSEC features for their DNS
DNS Security: Defending the servers. Public key cryptography can be a particularly challenging and
Domain Name System p. 7 complex area of security. DNSSEC also has a chicken-and-egg problem in
that having DNSSEC-enabled servers isn't beneficial unless client
Protecting the DNS protocol: computers (servers, laptops, smartphones, etc.) are also DNSSEC-enabled.
How DNSSEC can help p 25 But there's not much motivation for client computers to use DNSSEC unless
the DNS servers already support it.
Ways to solve DNS security
issues in your organization
kkkkkkkkkkkkkkkkkkkkkkp. 28 Efforts to expand use
How DNS TXT records can be After more than ten years, DNSSEC is still not that widely used. The U.S.
used against enterprises p. 32 government has pushed for DNSSEC adoption since 2006, when the
National Institute of Standards and Technology (NIST) released the original
About SearchSecurity p. 36 Special Publication (SP) 800-81, "Secure Domain Name System (DNS)
Deployment Guide." The publication was intended to help both U.S.
government agencies and other organizations better understand DNS
security concerns and how to address them. That included providing
detailed explanations of how DNSSEC works and making recommendations

Page 26 of 36
 E-guide

on how to implement it. Since that time, NIST has updated SP 800-81 twice,
In this e-guide with the latest version released in 2013.

Distributed Denial of Service A few years later, the government's Office of Management and Budget
(DDoS) Attack p. 2 (OMB) released a memo requiring federal agencies to deploy DNSSEC.
NIST updated SP 800-53 in 2010 to require the use of DNSSEC for high-
DNS Security: Defending the impact government systems. The next version of SP 800-53, released in
Domain Name System p. 7 2013, greatly expanded the requirements by mandating DNSSEC use for all
U.S. government systems, regardless of impact level.
Protecting the DNS protocol:
While the NIST publications and the OMB memo have made a significant
How DNSSEC can help p 25
impact on U.S. government DNSSEC adoption, in 2017 there were still
government domains not using DNSSEC. However, over 90% do support it
Ways to solve DNS security
and were not found to have any errors during the independent testing. This
issues in your organization
kkkkkkkkkkkkkkkkkkkkkkp. 28 demonstrates that adding on DNSSEC to the DNS protocol is feasible to
implement and maintain in the real world. Other organizations should
consider following the example set by government agencies and
How DNS TXT records can be
used against enterprises p. 32 implementing DNSSEC for their own servers and clients.

About SearchSecurity p. 36 Next Article

Page 27 of 36
 E-guide

In this e-guide
Ways to solve DNS security issues in your
Distributed Denial of Service organization
(DDoS) Attack p. 2
Karen Scarfone, Principal Consultant at Scarfone Cybersecurity
DNS Security: Defending the
Domain Name System p. 7
There are many ways organizations can reduce DNS security issues and
improve the safety of this vital service. DNSSEC is a great way to help
ensure that tampering with DNS responses is detected before clients are
Protecting the DNS protocol:
sent to the wrong destinations.
How DNSSEC can help p 25

Additional security practices are needed to adequately secure DNS, and

Ways to solve DNS security these are outlined and explained in National Institute of Standards and
issues in your organization
Technology (NIST) Special Publication (SP) 800-81-2, "Secure Domain
kkkkkkkkkkkkkkkkkkkkkkp. 28
Name System (DNS) Deployment Guide." SP 800-81-2 identifies three
groups of security concerns: the DNS hosting environment, the DNS
How DNS TXT records can be transactions themselves and the security administration of the DNS and
used against enterprises p. 32
DNS Security Extensions (DNSSEC) implementations. Let's take a closer
look at each of these groups and what you can do to address the concerns.
About SearchSecurity p. 36

Page 28 of 36
 E-guide

In this e-guide
DNS security issues in the hosting environment
Distributed Denial of Service The DNS hosting environment encompasses all the components of the
(DDoS) Attack p. 2 servers, from their operating systems and applications to the DNS data they
store, access and manipulate. Securing hosting environments is generally
DNS Security: Defending the straightforward. It includes hardening the operating systems and
Domain Name System p. 7 applications, configuring access controls so only the necessary activities are
permitted for authorized users and properly maintaining the environment
Protecting the DNS protocol: through patching, reconfiguring, monitoring, auditing and more.
How DNSSEC can help p 25
DNS data is stored on DNS servers in a zone file. Protecting the integrity of
Ways to solve DNS security the zone file is incredibly important. NIST SP 800-81-2 recommends using a
issues in your organization tool called a zone-file integrity checker. This tool should be run frequently on
kkkkkkkkkkkkkkkkkkkkkkp. 28 the zone file to make sure it doesn't contain any records with unusual values.
The tool must be configured with what the acceptable and unacceptable
How DNS TXT records can be values are for various record fields, which may vary from one organization to
used against enterprises p. 32 another.

About SearchSecurity p. 36
DNS security issues with transactions
DNS transactions include DNS queries and responses as well as several
types of record management actions. DNSSEC is the primary mechanism

Page 29 of 36
 E-guide

for protecting DNS query and response integrity. However, DNSSEC does
In this e-guide not protect other types of DNS transactions.

Distributed Denial of Service One of the transaction types needing protection is zone transfers. A zone
(DDoS) Attack p. 2 transfer is when the contents of a DNS zone file are duplicated on another
server. Zone transfers should be restricted so that only authorized parties
DNS Security: Defending the can initiate them. NIST SP 800-81-2 details several methods for doing this,
Domain Name System p. 7 including using transaction signatures, public key cryptography and network
layer security (e.g., a VPN).
Protecting the DNS protocol:
Another transaction type of concern is dynamic updates. In a dynamic
How DNSSEC can help p 25
update, a DNS client informs a DNS server of changes it should make to its
zone file. As with zone transfers, dynamic updates should only be allowed
Ways to solve DNS security
from authorized parties, and risk can be mitigated through transaction
issues in your organization
kkkkkkkkkkkkkkkkkkkkkkp. 28 signatures, public key cryptography and VPNs.

How DNS TXT records can be

used against enterprises p. 32
Security administration
Security administration can be used to reduce DNS security issues. It
About SearchSecurity p. 36 includes which cryptographic algorithms are used and how cryptographic
keys used for DNS are managed throughout their lifecycles. The vast
majority of the security administration recommendations found in NIST SP
800-81-2 involve key management for DNSSEC. Organizations should have

Page 30 of 36
 E-guide

robust key management policies and processes in place before deploying

In this e-guide DNSSEC so that they are prepared for any key management needs.

Distributed Denial of Service For example, if an incident involving DNS security issues related to a server
(DDoS) Attack p. 2 occurs, an organization may need to perform key rollovers immediately. If
these rollovers are not performed correctly and quickly, attackers might be
DNS Security: Defending the able to take advantage of the situation, or DNS operations might be
Domain Name System p. 7 disrupted, causing organizational IT resources to be temporarily unavailable.
Organizations should plan for the worst possible DNS security issues so that
Protecting the DNS protocol: they're ready to respond if a problem occurs.
How DNSSEC can help p 25

Next Article
Ways to solve DNS security
issues in your organization
kkkkkkkkkkkkkkkkkkkkkkp. 28

How DNS TXT records can be

used against enterprises p. 32

About SearchSecurity p. 36

Page 31 of 36
 E-guide

In this e-guide
How DNS TXT records can be used
Distributed Denial of Service against enterprises
(DDoS) Attack p. 2
Nick Lewis, Program Manager for Trust and Identity at Internet2
DNS Security: Defending the
The domain name system, better known as DNS, is one of the most critical
Domain Name System p. 7
network protocols in technology today. It is so common that it would be
surprising for a computer to not use DNS while the device is turned on.
Protecting the DNS protocol:
How DNSSEC can help p 25 The basic functionality is simple, but it has significant complexity under the
covers, and it can give security teams tremendous insight into the
Ways to solve DNS security operations of a network. On the other hand, there have been many attacks
issues in your organization on DNS servers, and even attacks that use DNS to their advantage.
kkkkkkkkkkkkkkkkkkkkkkp. 28

How DNS TXT records can be How DNS works

used against enterprises p. 32
DNS is the domain name system used for looking up human-friendly names
About SearchSecurity p. 36 of IP addresses, much like a telephone book. It is key to the operation of the
internet, and it is relied upon by many other protocols. It also gives a network
operator additional flexibility to make changes, such as redirecting one
server to a different server by modifying a DNS entry to point to a different
IP address.

Page 32 of 36
 E-guide

DNS is also used by many types of malware for command and control (C&C)
In this e-guide connections referencing DNS names in configuration files; even domain-
generating algorithms have been used to set up C&C connections. DNS
Distributed Denial of Service provides access to data, including internet protocol addresses -- A records
(DDoS) Attack p. 2 for IPv4 and AAAA records for IPv6 -- as well as mail exchanger records for
email servers.
DNS Security: Defending the
Domain Name System p. 7 One problematic option that has been used recently by threat actors is
called TXT (text) records. DNS TXT records can be used to record any text
Protecting the DNS protocol: within a DNS entry.
How DNSSEC can help p 25

Ways to solve DNS security How DNS TXT records can be abused
issues in your organization
kkkkkkkkkkkkkkkkkkkkkkp. 28 DNS has received significant attention in the security community, including
the usage of DNS servers in distributed denial-of-service attacks.

How DNS TXT records can be One area of DNS security that is starting to get more attention is how DNS
used against enterprises p. 32
can be used as a covert channel for data exfiltration. An attack was
observed by Cisco Talos researchers where DNS TXT record queries were
About SearchSecurity p. 36 used for a C&C connection.

In the attack, a phishing email with a malicious Microsoft Word document is

sent to a victim, and a macro executes a PowerShell command on the
endpoint. The malware uses DNS TXT records for sending commands to the

Page 33 of 36
 E-guide

endpoint and for sending the output data from the command back to the
In this e-guide C&C server. The malware encodes the command to make it more difficult to
detect the potentially suspicious network communications.
Distributed Denial of Service
(DDoS) Attack p. 2

Enterprise protections
DNS Security: Defending the
Domain Name System p. 7 Enterprises already have methods they can use to defend against malicious
actors who abuse DNS TXT records to exfiltrate data from the enterprise;
Protecting the DNS protocol: those same methods can also be effective against malicious actors abusing
How DNSSEC can help p 25 DNS TXT records to control their C&C networks. The DNS log data can be
used to identify potentially suspicious domains being looked up, as well as
Ways to solve DNS security the source IP address requesting the lookup.
issues in your organization
kkkkkkkkkkkkkkkkkkkkkkp. 28
Talos includes a listing of the malicious domains in its indicators of
compromise section of the report. The source IP address could be a system
infected with malware, and it can be further investigated by security teams.
How DNS TXT records can be
used against enterprises p. 32
By including DNS as a data source to use in incident response, an enterprise
could find other infected systems.

About SearchSecurity p. 36 Talos outlined several steps in the report to mitigate this DNS threat,
including using a service that monitors DNS, antiphishing tools, antimalware
network tools, threat intelligence services and endpoint security products.
Talos also released a Snort rule that can detect the malware on the network.

Page 34 of 36
 E-guide

One of the most attractive features of using DNS as a security control is

In this e-guide that it usually doesn't require any changes to endpoints, and it can be used
across an entire network. An enterprise may want to only allow approved
Distributed Denial of Service DNS servers to be used so the enterprise can not only ensure the DNS
(DDoS) Attack p. 2 service is secure, but can also monitor the DNS data.

DNS Security: Defending the

Domain Name System p. 7 Conclusion
Protecting the DNS protocol: DNS is a mission-critical service for enterprises, and it is also a gold mine of
How DNSSEC can help p 25 valuable data for protecting your enterprise. DNS data can be mined for
threat intelligence, and DNS itself can also be used to redirect malware-
Ways to solve DNS security infected hosts to a captive portal to remediate the malware.
issues in your organization
kkkkkkkkkkkkkkkkkkkkkkp. 28 Enterprises can add new security tools to monitor DNS without having to
make significant changes to their network, which can make these tools very
attractive to enterprises.
How DNS TXT records can be
used against enterprises p. 32

About SearchSecurity
About SearchSecurity p. 36

Page 35 of 36
 E-guide

In this e-guide
About SearchSecurity
Distributed Denial of Service
IT security pros turn to SearchSecurity.com for the information they require
(DDoS) Attack p. 2
to keep their corporate data, systems and assets secure. We're the only
information resource that provides immediate access to breaking industry
DNS Security: Defending the
news, virus alerts, new hacker threats and attacks, security certification
Domain Name System p. 7
training resources, security standard compliance, webcasts, white papers,
podcasts, Security Schools, a selection of highly focused security
Protecting the DNS protocol:
newsletters and more -- all at no cost.
How DNSSEC can help p 25

Ways to solve DNS security

For further reading, visit
issues in your organization
kkkkkkkkkkkkkkkkkkkkkkp. 28 SearchSecurity.com
Images; Fotalia
How DNS TXT records can be
©2019 TechTarget. No part of this publication may be transmitted or reproduced in any form or by any means without
used against enterprises p. 32
written permission from the publisher.

About SearchSecurity p. 36

Page 36 of 36