The Domain Name System (DNS) is a critical component in internet communication that matches a friendly domain name such as “yourdomain.com” with its corresponding IP address. A critical flaw was found in the DNS protocol in 2008 that allowed an attacker to poison cache results on DNS resolver servers and redirect users to a malicious website. This attack was successful because the DNS protocol does not require any authentication or security validation. However, a new technology called DNSSEC adds a security layer to DNS queries to protect users from phishing attacks using DNS vulnerabilities.
How Does DNS Cache Poisoning Work?
The main purpose of DNSSEC is to stop DNS cache poisoning, also called DNS spoofing. The Internet has thousands of DNS resolvers that answer user queries requesting IP addresses for a given domain. Resolvers communicate with authoritative nameservers to get domain IP addresses and cache them. Cached results make it faster for users to receive responses from their DNS queries.
The issue with this system is that there is no validation for responses from an authoritative nameserver. An attacker can pretend to be an authoritative response and force the resolver server to cache malicious results. In a DNS poisoning attack, the attacker will tell the resolver to cache a malicious IP and link it to a legitimate domain. The domain owner has no control over the issue, and most cache poisoning attacks use an attacker-controlled site that looks significantly similar to the official site.
Attackers can successfully poison resolver servers because the entire DNS interaction between servers uses the UDP protocol. The UDP protocol has no handshake like the TCP protocol used to connect to an HTTP website. UDP is a “set it and forget it” protocol that sends and receives messages without any authentication or sender and receiver verification.
A DNS poisoning attack is not easy, so it’s a sophisticated way for an attacker to exploit the vulnerability. The resolver server does make legitimate requests to the authoritative server, and the authoritative server sends legitimate responses. An attacker only has a few milliseconds to send the fraudulent reply to the resolver before it receives a legitimate response.
Several other issues make this attack difficult:
• Attackers must know which DNS queries aren’t cached by the resolver to identify a soon-to-happen DNS query that can be poisoned.
• The port used for queries must be known. Older protocol rules specified the same port, but newer standards randomize the port. This means attackers must “guess” the right port, but only a limited number of ports are available for DNS queries.
• Every request is given an identification value. The attacker must “guess” the identification value to ensure that poisoned results are cached.
• An attacker must know the authoritative server used to query DNS results.
This attack is a critical issue because users have no way of knowing that they are accessing a malicious site. A sophisticated attack uses the legitimate site’s images, layout, colors, and text. It’s virtually impossible to notice a phishing website using this method of attack. Some attackers even have SSL/TLS certificates to make the site look more legitimate. Any user who falls for this phishing attack could send an attacker their financial data, personal information, or user credentials.
Because phishing attacks are especially effective using DNS cache poisoning, DNSSEC was established and quickly rolled out to defend against them. DNS is a critical part of Internet infrastructure, so the attack could affect small and large businesses. It was considered a critical issue that must be remediated quickly and without affecting the way legacy and new servers interact with each other and users.
How DNSSEC Solves the Problem of DNS Cache Poisoning
DNSSEC works similarly to SSL/TLS and HTTPS connections. In these security technologies, digital signatures and public/private key encryption are used to protect servers. DNSSEC uses a key signing process from the root server to the nameserver hosting the domain’s IP address. There are only 13 root servers located across the globe, which are maintained by trusted authorities. Before signatures and keys are distributed, Internet Assigned Numbers Authority (IANA) reviews them and assigns them to the domain’s nameserver. IANA is the only trusted root key manager currently to approve requests.
Digital signatures are stored on nameservers alongside other common DNS records such as A, AAAA, MX, and CNAME. Public keys are used to verify digital signatures to ensure that the record is valid. The DNS resolver verifies the legitimacy of a query result using the public key to then verify the signature of the private key passed down by the root server. The chain of events is invisible to the user, so all this activity happens in the background when users access their favorite domain.
Not Every Device Supports DNSSEC
Backwards compatibility is necessary to allow for legacy hardware to still work with DNS resolvers. It’s not uncommon for users to have older routers in their homes, so DNSSEC is not adopted everywhere. It takes time for new technology to advance to people who do not upgrade their hardware, so DNSSEC is still not implemented on every network.
Some organizations forward DNS queries to an authoritative DNS provider such as Google. Adoption for DNSSEC continues to grow, but it has not been completely implemented due to difficulties. The first difficulty is that administrators must understand DNSSEC and know how to implement it. The second is a lack of resources for smaller organizations. For individuals, it seems unnecessary to go out and buy a new router or other device to support technology that they don’t understand.
Phishing attacks aren’t always via email. They can also be used in DNS cache poisoning attacks. It’s important that organizations understand the issues with DNS and take the necessary steps to protect users. DNSSEC adds a layer of cybersecurity to browser requests and protects users from possible phishing attacks.
Your internet service provider might already use DNSSEC, but private organizations could have unique setups that use older strategies. Using DNSSEC, you protect your domain from being used in sophisticated phishing attacks. It protects not only users, but also protects employees from being the targets of phishing.