Back in the stone age (that’s before the Internet to you Millenials) most households had two massive tomes delivered to their door, one yellow, one white. These were known as phonebooks and are only used anymore to try to “get your Ahnold on” by tearing in half or for TV detectives to rip a page out of them at phone booths in order to find the bad guy in 24 minutes or less.
While trees may be thankful for this near extinct way of archiving and discovering contact information, a form of accurate indexing is still essential, especially on the Internet. This, in essence, is what DNS (Domain Name Search) does. Think of it as the phonebook for the Internet.
This article will cover the layperson’s basics of DNS, the security risks that may occur through DNS spoofing, and ways to protect yourself.
So How Does DNS Work?
Basically, the DNS translates the IP addresses - which are a bunch of digits separated by dots or semicolons (ie. 18.104.22.168) assigned to each and every device on the Internet and are a pain in the arse to remember - into domain names, so the search engines like Google can accurately and easily fly us to our online destinations. The DNS lookup occurs “behind the scenes” and requires no interaction from the user’s computer aside from the initial reach out.
A Quick Blurb About DNS Caching
Right now, your ISP (Internet Service Provider) is running multiple DNS servers, each of which also caches (or saves) information from other servers. Additionally, your Wi-Fi router may act like a DNS server as well, as it also caches information from the servers of your ISP.
The purpose of DNS caching is to store data on the side (in the browser) or on your ISP’s “hub/intermediate” DNS server for a period of time, resulting in arguably improved performance and reliability for data requests by reducing load times and bandwidth/CPU consumption. Most newer web browsers are designed by default to cache DNS records for a set (usually short) amount of time.
It’s important to know about DNS caching because this is the mechanism that can be exploited by malicious parties using a technique called DNS spoofing, aka DNS cache poisoning.
A DNS cache is “poisoned” when the server receives a forged entry, which can occur if and when a hacker gains control over a DNS server and then changes the associated information. The hacker may then modify this information so that the DNS server sends the unaware user towards a website with a spoofed address (like a phishing website), despite entering the ‘correct’ name of the website.
The unbeknownst user whose computer has accessed the infected DNS server gets tricked into accepting content coming from this “fake” server - which may look exactly the same as the actual server - and may unknowingly download malicious content (this might get interesting with Disney+ and it’s large child following) and/or give up sensitive information, such as credit card details, passwords, etc. It’s akin to thinking you got a girl’s phone number and it turns out to be for her boyfriend. Not cool, at least not in my book!
DNS spoofing is also dangerous because of how quickly it can spread from one DNS server to the next, almost like lice at a daycare facility. It happens if and when multiple internet service providers are receiving their DNS information from the hacker controlled portal, resulting in the soured DNS entry spreading to those ISPs to be cached. From there, it can then spread to other DNS servers and even home routers. Worse yet, the issue will only be resolved when the poisoned cache has been cleared on every affected DNS server.
How to Protect Yourself
Perhaps the most difficult part of this is ascertaining if the DNS responses you receive are legitimate or not. If in doubt use the over-cautious approach; bring an umbrella to the picnic. The good news is there are some strong yet simple actions that you can take to diminish the likelihood of a DNS spoofing attack from happening.
First and foremost, ensure that the most recent version of the DNS server is installed and used as the default configuration for all of your computers, as most recent versions use port randomization and transaction IDs - security features that are cryptographically secure to help guard against poisoning attacks. However, this is more a measure to take for people who actually maintain DNS servers. If you're an end user who just uses your browser, you're pretty much stuck with whatever version of DNS server your ISP/upstream DNS uses.
If you feel like tinkering a bit, you can configure your DNS servers so that only required services are permitted. This will significantly reduce the chances of an attack happening as opposed to allowing additional services that are not needed to run on your DNS server.
Then there’s also reverse DNS lookup.This is a querying technique that can be used for determining the domain name and the Internet service provider associated with an IP address. It can be used to identify the originator’s domain name to try and track, say, a spammer sending spam emails or track the IP addresses that were misdirected from a certain domain. In essence, it can be used to keep tabs on all computers that were used as part of malicious activity, which may prevent these poisoning attacks on your DNS server or computer by blocking malicious actors from connecting right away.
Know that while there are free and paid options to perform a reverse DNS, it usually requires in-depth research to cull out the trusted products. You could very well make things worse.
Lastly, at least for the scope of this article, seriously consider the utilization of professional services from cyber security companies who specialize in areas such as this, are on top of the newest hacking techniques, and know how to counter them.
Of course the bottom line in all of this is, if you do not host your own DNS server you are at the mercy of others, reputable or not. And even if you DO host your own DNS server, it can still be tricked into caching data from outside DNS servers that were compromised.
As you’ve no doubt garnered by now, DNS is a touchy it topic as there is no true security solution, because of its very nature. It is part of a network afterall, and one can't control a whole network of DNS servers to make sure they are not compromised.You can, of course, disable caching but that's a whole other ball of wax, as other DNS servers may ban you for querying too much.
DNS lookup is an essential part of how the Internet works nowadays. But, like virtually any online experience, there are some risks; including activity you may not even be aware of. If you are concerned, or have especially sensitive data stored on your - or perhaps more importantly, your company’s - system(s), the best bet is the one-two punch combination of “stay vigilant, stay safe”.
If you’d like to dig a little deeper, stay tuned for part 2 of this series, “DNS: The Tech Behind the Tool” - coming soon.