DNS Security Management

Michael Dooley is responsible for overall operations of the BT Diamond IP division. Mr. Dooley has more than 20 years of experience managing and developing large scale software products and has contributed significantly to the evolution of Internet technologies, particularly related to IP addressing, DHCP and DNS. In 2013 he co-authored the Wiley-IEEE Press title IPv6 Deployment and Management.

Timothy Rooney manages BT Diamond IP product development and has led the market introduction of four next-generation IP management systems: NetControl, IPControl, Sapphire appliances and ImageControl. In 2010, he authored the Wiley-IEEE Press title Introduction to IP Address Management and in 2011, IP Address Management Principles and Practice. In 2013 Mr. Rooney co-authored the Wiley-IEEE Press title IPv6 Deployment and Management.

Preface xiii
Acknowledgments xvii
1 INTRODUCTION 1
Why Attack DNS? 1
Network Disruption 2
DNS as a Backdoor 2
DNS Basic Operation 3
Basic DNS Data Sources and Flows 4
DNS Trust Model 5
DNS Administrator Scope 6
Security Context and Overview 7
Cybersecurity Framework Overview 7
Framework Implementation 9
What s Next 15
2 INTRODUCTION TO THE DOMAIN NAME SYSTEM (DNS) 17
DNS Overview Domains and Resolution 17
Domain Hierarchy 18
Name Resolution 18
Zones and Domains 23
Dissemination of Zone Information 25
Additional Zones 26
Resolver Configuration 27
Summary 29
3 DNS PROTOCOL AND MESSAGES 31
DNS Message Format 31
Encoding of Domain Names 31
Name Compression 32
Internationalized Domain Names 34
DNS Message Format 35
DNS Update Messages 43
The DNS Resolution Process Revisited 48
DNS Resolution Privacy Extension 55
Summary 56
4 DNS VULNERABILITIES 57
Introduction 57
DNS Data Security 57
DNS Information Trust Model 59
DNS Information Sources 60
DNS Risks 61
DNS Infrastructure Risks and Attacks 62
DNS Service Availability 62
Hardware/OS Attacks 63
DNS Service Denial 63
Pseudorandom Subdomain Attacks 67
Cache Poisoning Style Attacks 67
Authoritative Poisoning 71
Resolver Redirection Attacks 73
Broader Attacks that Leverage DNS 74
Network Reconnaissance 75
DNS Rebinding Attack 77
Reflector Style Attacks 78
Data Exfiltration 79
Advanced Persistent Threats 81
Summary 83
5 DNS TRUST SECTORS 85
Introduction 85
Cybersecurity Framework Items 87
Identify 87
Protect 87
Detect 88
DNS Trust Sectors 88
External DNS Trust Sector 91
Basic Server Configuration 93
DNS Hosting of External Zones 97
External DNS Diversity 97
Extranet DNS Trust Sector 98
Recursive DNS Trust Sector 99
Tiered Caching Servers 100
Basic Server Configuration 101
Internal Authoritative DNS Servers 103
Basic Server Configuration 105
Additional DNS Deployment Variants 108
Internal Delegation DNS Master/Slave Servers 109
Multi-Tiered Authoritative Configurations 109
Hybrid Authoritative/Caching DNS Servers 111
Stealth Slave DNS Servers 111
Internal Root Servers 111
Deploying DNS Servers with Anycast Addresses 113
Other Deployment Considerations 118
High Availability 118
Multiple Vendors 118
Sizing and Scalability 118
Load Balancers 119
Lab Deployment 119
Putting It All Together 119
6 SECURITY FOUNDATION 121
Introduction 121
Hardware/Asset Related Framework Items 122
Identify: Asset Management 122
Identify: Business Environment 123
Identify: Risk Assessment 124
Protect: Access Control 126
Protect: Data Security 127
Protect: Information Protection 129
Protect: Maintenance 130
Detect: Anomalies and Events 131
Detect: Security Continuous Monitoring 131
Respond: Analysis 132
Respond: Mitigation 132
Recover: Recovery Planning 133
Recover: Improvements 133
DNS Server Hardware Controls 134
DNS Server Hardening 134
Additional DNS Server Controls 136
Summary 137
7 SERVICE DENIAL ATTACKS 139
Introduction 139
Denial of Service Attacks 139
Pseudorandom Subdomain Attacks 141
Reflector Style Attacks 143
Detecting Service Denial Attacks 144
Denial of Service Protection 145
DoS/DDoS Mitigation 145
Bogus Queries Mitigation 147
PRSD Attack Mitigation 148
Reflector Mitigation 148
Summary 151
8 CACHE POISONING DEFENSES 153
Introduction 153
Attack Forms 154
Packet Interception or Spoofing 154
ID Guessing or Query Prediction 155
Name Chaining 155
The Kaminsky DNS Vulnerability 156
Cache Poisoning Detection 159
Cache Poisoning Defense Mechanisms 160
UDP Port Randomization 160
Query Name Case Randomization 161
DNS Security Extensions 161
Last Mile Protection 167
9 SECURING AUTHORITATIVE DNS DATA 169
Introduction 169
Attack Forms 170
Resolution Data at Rest 170
Domain Registries 170
DNS Hosting Providers 171
DNS Data in Motion 172
Attack Detection 172
Authoritative Data 172
Domain Registry 173
Domain Hosting 173
Falsified Resolution 173
Defense Mechanisms 174
Defending DNS Data at Rest 174
Defending Resolution Data in Motion with DNSSEC 176
Summary 186
10 ATTACKER EXPLOITATION OF DNS 187
Introduction 187
Network Reconnaissance 187
Data Exfiltration 188
Detecting Nefarious use of DNS 189
Detecting Network Reconnaissance 189
DNS Tunneling Detection 190
Mitigation of Illicit DNS Use 193
Network Reconnaissance Mitigation 193
Mitigation of DNS Tunneling 193
11 MALWARE AND APTS 195
Introduction 195
Malware Proliferation Techniques 196
Phishing 196
Spear Phishing 196
Downloads 196
File Sharing 197
Email Attachments 197
Watering Hole Attack 197
Replication 197
Implantation 197
Malware Examples 198
Malware Use of DNS 198
DNS Fluxing 198
Dynamic Domain Generation 202
Detecting Malware 202
Detecting Malware Using DNS Data 203
Mitigating Malware Using DNS 206
Malware Extrication 206
DNS Firewall 207
Summary 210
12 DNS SECURITY STRATEGY 213
Major DNS Threats and Mitigation Approaches 214
Common Controls 214
Disaster Defense 214
Defenses Against Human Error 220
DNS Role-Specific Defenses 220
Stub Resolvers 220
Forwarder DNS Servers 221
Recursive Servers 221
Authoritative Servers 222
Broader Security Strategy 222
Identify Function 223
Protect Function 224
Detect Function 225
Respond Function 226
Recover Function 227
13 DNS APPLICATIONS TO IMPROVE NETWORK SECURITY 229
Safer Web Browsing 230
DNS-Based Authentication of Named Entities (DANE) 230
Email Security 232
Email and DNS 233
DNS Block Listing 237
Sender Policy Framework (SPF) 238
Domain Keys Identified Mail (DKIM) 242
Domain-Based Message Authentication, Reporting, and
Conformance (DMARC) 245
Securing Automated Information Exchanges 246
Dynamic DNS Update Uniqueness Validation 246
Storing Security-Related Information 247
Other Security Oriented DNS Resource Record Types 247
Summary 251
14 DNS SECURITY EVOLUTION 253
Appendix A: Cybersecurity Framework Core DNS Example 257
Appendix B: DNS Resource Record Types 285
Bibliography 291
Index 299