DNS Security

Speaker: Gopinath Palaniappan

Sunday, 19th November 2023

Working of Internet The DNS Ecosystem
Attacks on DNS DNS Abuse
Recursive Resolver Recent Developments
 Part 1

Working of Internet
Introduction to Internet
• Father of Internet: Vinton Gray Cerf
• Communication necessity:
• Defense Advanced Research Projects Agency (DARPA) in
1960s: low grade phone connection
• Advanced Research Projects Agency Network (ARPANET) in
1967: Packet Switching and TCP/IP
• Network and Sharing necessity:
• Host name to address mapping at Stanford Research
Institute (SRI) by Doug Engelbart in 1969
• Department of Defense and Department of Energy
• IANA (Internet Assigned Numbers Authority)
• ICANN (Internet Corporation of Assigned Names and
Numbers)
Introduction to Internet
• Components of Internet
• IANA (Internet Assigned Numbers Authority) [https://www.iana.org/]
• ICANN (Internet Corporation of Assigned Names and Numbers)
[https://www.icann.org/]
• Regional Internet Registry (RIR): APNIC (Asia Pacific Network Information
Centre) [https://www.apnic.net/]
• National Internet Registry (NIR) [https://www.irinn.in/]
• Internet eXchange Points (IXPs): NIXI (National Internet Exchange of India)
[https://nixi.in/]
• Internet Service Providers (ISPs)
• Domain Name System (DNS)
 Part 2

The DNS Ecosystem

Understanding Domain Name

https://www.india.gov.in/my-government/government-directory
Protocol Resource file
Domain name
Path
Fully Qualified Domain Name (FQDN)
Primary role of Domain Name System (DNS)

https://india.gov.in 164.100.61.151
DNS Ecosystem
Domain Registration

Registry Database

Wants to register: 1) Check availability

https://sample.in 2) Register, if available
Resolving a domain

User visits
https://sample.in
Contractual Agreements in DNS Ecosystem
DNS Query Resolution
DNS Ecosystem
User visits https://coednssecurity.in
4 Check RR cache
Root “.”
2 Check local cache

3 Reach closest RR
7 Resolve coednsecurity.in
Top Level Domain
5 220.156.189.66
(TLD) “.in”
8 Nameserver of coednsecurity.in
11
1 Resolve https://coednssecurity.in Recursive
Resolver

3 /6/12
Reach the host of Second Level
https://coednssecurity.in
Domain (SLD)
“coednssecurity.in”

https://coednssecurity.in
220.156.189.66
DNS Hierarchy
13 Root Servers (A-M)
1617 Root instances

1589 TLDs (March 2021)

 Part 3

Attacks on DNS
DNS Query ID Spoofing
DNS Cache Poisoning
Distributed Denial of Service (DDoS)
 Part 4

DNS Abuse
DNS Reflection and Amplification
DNS Tunnelling

Infected Client
DNS Hijacking

Infected Client
 Part 5

Recursive Resolver
BIND
• BIND is the most popular Domain Name System (DNS) server.
• It is FOSS (Free & Open Source Software)
• BIND means Berkeley Internet Name Domain.
• It was developed in the 1980s at the University of Berkeley.
• It can be used both as a Caching Server as well as an Authoritative
Server.
• https://coednssecurity.in – has manuals
Dig – Domain Information Groper
• Dig is an administrative tool for querying DNS Name Servers
• It is useful for performing DNS Lookups and displays the answers that
are returned from the name server
• It is also useful for verifying and troubleshooting DNS Problems
 Part 6

Recent Developments
Malicious Domain Detection
Blacklist Lexical Features Global ranking
❖ Reputation based on ❖ Length ❖ Alexa
history ❖ Characters ratio, ❖ DomCop
continuity rate ❖ Majestic
❖ Phrases ❖ Google Page-ranking

Registration data Web Traffic Category & Content

❖ RDAP ❖ Visitors count ❖ Type of website
❖ IPWhois ❖ Stay time ❖ Number of pages
❖ DomainWhois ❖ Web referrals ❖ Broken links
Harmful effects of Malicious Domains

Malware
Botnet
propagation

Data Ransomware
Exfiltration attack
 Domain Generation Algorithms (DGAs)
1. User visits malicious link Malicious
User
Website
2. Malware downloaded and installed
3. Malware uses seed 3. Attackers uses seed
Installed for DGA generation Installed for generating domains
Attacker
Malware Malware

List of algorithmically List of algorithmically

DGA
generated domains generated domains

Connection established C&C registered

C&C server
5. Start querying 4. Attacker uses the 27
DNS for the domains domains to register
the C&C server
Upcoming Challenges
• Blockchain DNS
• No centralized control
• Anonymity
• Crypto wallets
• Internationalized Domain Names (IDNs): Punycode attacks
• Domain names in local languages
• Unicode to ASCII
• IDN example: .இந் தியா
• Punycode Example: abæcdöef (abcdef-qua4k)
References
• Bind 9.18.2 Software: https://coednssecurity.in (RESOURCES Tab)
• Bind 9.18.2 Manual: https://coednssecurity.in (RESOURCES Tab)
• DNS Hardening by Security Enrichment and Performance
Enhancement of Recursive Resolver: https://coednssecurity.in
(RESOURCES Tab)
• Bind Administration Manual:
https://bind9.readthedocs.io/en/v9_18_2/
 Q&A

Please help us improve our email security solution by forwarding your spam emails to our SPAM BOX at:
[email protected]

Thank you