Home / Blogs

The Challenge of DNS Security

Edward Lewis

When the domain name system (DNS) was first designed, security was an afterthought. Threats simply weren't a consideration at a time when merely carrying out a function — routing Internet users to websites — was the core objective. As the weaknesses of the protocol became evident, engineers began to apply a patchwork of fixes. After several decades, it is now apparent that this reactive approach to DNS security has caused some unintended consequences and challenges.

Steps to Secure DNS Data

The first improvements to DNS security aimed to make the data safer, such as early efforts to add more information about data sources. Later, DNSSEC (DNS security extensions) was developed to make forging data much more difficult. One unintended consequence, which wasn't a concern at the time, responses to DNS queries now contains more data than ever before. The gain in response size, versus query size, became considerable.

Steps to Secure the System

While initial steps were being taken to secure DNS, the system gained greater capacity. That is, it was over-provisioned to secure availability and resiliency. The cost of computers and bandwidth fell, enabling organizations to deploy more and more servers, plus the servers themselves were becoming more powerful. This helped to prevent servers from being flooded with queries, both from legitimate users and illegitimate users launching DDoS attacks.

Progress was being made. But…

The Solutions Become a Problem

Recently, the DDoS attackers have capitalized on the way DNSSEC amplifies the size of query responses and has used the incredible capacity to focus packet floods on targets. In these attacks, which have been labeled reflection attacks, a computer sends a small DNS query to a server that responds with a large DNSSEC-fueled response, which is not sent to the computer but instead to the falsified return address. This process is repeated to many DNS servers in parallel, resulting in a traffic pattern that is barely noticable by the DNS servers but has severe consequences for the victim. The victim's servers are overwhelmed and websites go offline, causing revenues, customer service and brand reputations to suffer.

No Good Deed Goes Unpunished

To recap, while the DNS has been armed for security, it has also become a global, high-capacity, very reliable utility for generating attack traffic. Much like an electric utility generates power for cities; the DNS can generate immense amounts of traffic to flood victims.

So, What's Next?

We can't undo the improvements to DNS security. If we did, the DNS would once again be an untrustworthy and unreliable source for data. To move forward, we must figure out a way to eliminate reflection attacks and continue on with our security strategies. Or rethink these strategies overall.

On the horizon: expanding the role TCP (transmission control protocol, one of the core protocols of the Internet) plays in the DNS. Historically, expansion has been a taboo subject because TCP doesn't make much sense for DNS, but it removes the effectiveness of reflection attacks, for the most part. While there are reasons not to utilize TCP — another topic for another blog post — the fact is that DNS is already defined to operate over TCP, despite years of building devices that assume it doesn't. While this is a subject to experiment with, it's not a certain solution.

Other options exist, but it is too early to even begin to describe them. New topologies and new arrangements are in the works. Other changes to the protocol are being considered. Where we go next is anyone's guess.

By Edward Lewis, Director and Member of the Technical Staff at Neustar

Related topics: Cyberattack, DNS, DNSSEC, Internet Protocol, Security

WEEKLY WRAP — Get CircleID's Weekly Summary Report by Email:

Comments

One of the biggest things that could Todd Knarr  –  Aug 20, 2013 11:00 AM PST

One of the biggest things that could be done is for ISPs to filter outbound traffic. DNS reflection attacks only work if you can forge the source of the query to appear to be the victim. It's impractical for the DNS server's network to filter queries for validity, but your ISP knows what IP network numbers they operate. They can apply a standard outbound filter: all packets with a source address not in a network the ISP operates are dropped. This is complex to do for interior networks that handle transit for many other networks, but at the edges where ISPs serve mostly either their own networks or clients whose networks don't carry transit traffic it's much more feasible. Applying sanity filters like that would go a long way towards eliminating the nastiest attacks.

Similarly inbound filtering should be standard. Again it's too complex to apply to interior interfaces, but near the edges there are a lot of interfaces to non-transit ISPs (or ones who only handle transit for a known set of non-transit clients) where even if the ISP doesn't apply an outbound filter the network they're connecting to can apply an inbound filter to drop any traffic from the ISP that doesn't originate from a network the ISP is responsible for. This helps deal with rogue networks that don't filter outbound.

You're right, but... Edward Lewis  –  Aug 21, 2013 11:48 AM PST

This filtering has been promoted for a long time by a lot of people without a lot to show for their efforts.  Yes ISPs should, but they don't.  This leaves DNS operators with a choice to keep shouting "deploy BCP 38" or do something within the control of the DNS operators (at least try).

To post comments, please login or create an account.

Related Blogs

Related News

Topics

Industry Updates – Sponsored Posts

Join Paul Vixie & Robert Edmonds at the Upcoming Distinguished Speaker Series

Q3 2014 DDoS Trends: Attacks Exceeding 10 Gbps on the Rise

LogicBoxes Announces Automation Solutions for ccTLD

3 Questions to Ask Your DNS Host About DDoS

Introducing Our Special Edition Managed DNS Service for Top-Level Domain Operators

Afilias Partners With Internet Society to Sponsor Deploy360 ION Conference Series Through 2016

Neustar to Build Multiple Tbps DDoS Mitigation Platform

The Latest Internet Plague: Random Subdomain Attacks

Digging Deep Into DNS Data Discloses Damaging Domains

New gTLDs and Best Practices for Domain Management Policies (Video)

Nominum Announces Future Ready DNS

New from Verisign Labs - Measuring Privacy Disclosures in URL Query Strings

Video Interviews from ICANN 50 in London

DotConnectAfrica Delegates Attend the Kenya Internet Governance Forum

3 Questions to Ask Your DNS Host about Lowering DDoS Risks

Continuing to Work in the Public Interest

Verisign Named to the OTA's 2014 Online Trust Honor Roll

4 Minutes Vs. 4 Hours: A Responder Explains Emergency DDoS Mitigation

Dyn Acquires Internet Intelligence Company, Renesys

Tips to Address New FFIEC DDoS Requirements

Sponsored Topics

Afilias

DNSSEC

Sponsored by
Afilias
dotMobi

Mobile

Sponsored by
dotMobi
Minds + Machines

Top-Level Domains

Sponsored by
Minds + Machines
Verisign

Security

Sponsored by
Verisign