NF Post 6 : DNS Security
To begin with, in DNS protocol there is a process of translating names like something.com into an IP address. One vulnerability of DNS is when this process happens, attacker can hijack this process take control of the session to, for example, send the user to the hijacker’s own malicious website.
There is only one long-term solution to solve this vulnerability, and it is the end-to-end-deployment of a security protocol called DNSSEC or DNS Security.
But before we talk about what is DNS Security, we need to know about the root zone.
As it said in the previous paragraph, DNS translates domain names into numbers that computers use to go to the destination. The first place it looks is the top level of directory service. This place is called the root zone.
DNSSEC is a technology that prevents such attack by digitally signing data to make sure it is valid. To eliminate weaknesses from the internet, it must be deployed at each step in the lookup from root zone to final domain name. Deploying DNS Security on the root zone/ signing the root is an important phase in this process. These signatures can be checked to verify that a record came from the correct DNS server.
Signing a data is done by adding 2 things, DNSKEY and DS. DNSKEY record contains a public signing key, and the DS record contains a hash of a DNSKEY record.
To make it clearer, here’s an example on an unsigned domain.
In Figure 3.1, we can see that Paypal use cname chain to reach an address, and some of the addresses are unsigned. We checked in https://dnssec-analyzer.verisignlabs.com/ and this is the result.
From the figures above, it can be seen that edgekey.net, akamaiedge.net, and a.akamaiedge.net are unsigned. Therefore, some cname in Figure 1 does not support DNSSEC. As the result, although as it can be seen in Figure 3.3, that paypal.com itself is signed, the IP at the end of Figure 3.1 is unsigned and because of that, there are risks of getting attacks.
References:
- Towards Adoption of DNSSEC: Availability and Security Challenges – Amir Herzberg and Haya Shulman
- https://www.cloudflare.com/learning/dns/dns-records/dnskey-ds-records/
- https://www.icann.org/resources/pages/dnssec-qaa-2014-01-29-en
- https://support.dnsimple.com/articles/cname-record/
- https://dnssec-analyzer.verisignlabs.com/www.paypal.com