DNS Security Management

Preface xiii Acknowledgments xvii 1 INTRODUCTION 1 Why Attack DNS? 1 Network Disruption 2 DNS as a Backdoor 2 DNS Basic Operation 3 Basic DNS Data Sources and Flows 4 DNS Trust Model 5 DNS Administrator Scope 6 Security Context and Overview 7 Cybersecurity Framework Overview 7 Framework Implementation 9 What’s Next 15 2 INTRODUCTION TO THE DOMAIN NAME SYSTEM (DNS) 17 DNS Overview – Domains and Resolution 17 Domain Hierarchy 18 Name Resolution 18 Zones and Domains 23 Dissemination of Zone Information 25 Additional Zones 26 Resolver Configuration 27 Summary 29 3 DNS PROTOCOL AND MESSAGES 31 DNS Message Format 31 Encoding of Domain Names 31 Name Compression 32 Internationalized Domain Names 34 DNS Message Format 35 DNS Update Messages 43 The DNS Resolution Process Revisited 48 DNS Resolution Privacy Extension 55 Summary 56 4 DNS VULNERABILITIES 57 Introduction 57 DNS Data Security 57 DNS Information Trust Model 59 DNS Information Sources 60 DNS Risks 61 DNS Infrastructure Risks and Attacks 62 DNS Service Availability 62 Hardware/OS Attacks 63 DNS Service Denial 63 Pseudorandom Subdomain Attacks 67 Cache Poisoning Style Attacks 67 Authoritative Poisoning 71 Resolver Redirection Attacks 73 Broader Attacks that Leverage DNS 74 Network Reconnaissance 75 DNS Rebinding Attack 77 Reflector Style Attacks 78 Data Exfiltration 79 Advanced Persistent Threats 81 Summary 83 5 DNS TRUST SECTORS 85 Introduction 85 Cybersecurity Framework Items 87 Identify 87 Protect 87 Detect 88 DNS Trust Sectors 88 External DNS Trust Sector 91 Basic Server Configuration 93 DNS Hosting of External Zones 97 External DNS Diversity 97 Extranet DNS Trust Sector 98 Recursive DNS Trust Sector 99 Tiered Caching Servers 100 Basic Server Configuration 101 Internal Authoritative DNS Servers 103 Basic Server Configuration 105 Additional DNS Deployment Variants 108 Internal Delegation DNS Master/Slave Servers 109 Multi-Tiered Authoritative Configurations 109 Hybrid Authoritative/Caching DNS Servers 111 Stealth Slave DNS Servers 111 Internal Root Servers 111 Deploying DNS Servers with Anycast Addresses 113 Other Deployment Considerations 118 High Availability 118 Multiple Vendors 118 Sizing and Scalability 118 Load Balancers 119 Lab Deployment 119 Putting It All Together 119 6 SECURITY FOUNDATION 121 Introduction 121 Hardware/Asset Related Framework Items 122 Identify: Asset Management 122 Identify: Business Environment 123 Identify: Risk Assessment 124 Protect: Access Control 126 Protect: Data Security 127 Protect: Information Protection 129 Protect: Maintenance 130 Detect: Anomalies and Events 131 Detect: Security Continuous Monitoring 131 Respond: Analysis 132 Respond: Mitigation 132 Recover: Recovery Planning 133 Recover: Improvements 133 DNS Server Hardware Controls 134 DNS Server Hardening 134 Additional DNS Server Controls 136 Summary 137 7 SERVICE DENIAL ATTACKS 139 Introduction 139 Denial of Service Attacks 139 Pseudorandom Subdomain Attacks 141 Reflector Style Attacks 143 Detecting Service Denial Attacks 144 Denial of Service Protection 145 DoS/DDoS Mitigation 145 Bogus Queries Mitigation 147 PRSD Attack Mitigation 148 Reflector Mitigation 148 Summary 151 8 CACHE POISONING DEFENSES 153 Introduction 153 Attack Forms 154 Packet Interception or Spoofing 154 ID Guessing or Query Prediction 155 Name Chaining 155 The Kaminsky DNS Vulnerability 156 Cache Poisoning Detection 159 Cache Poisoning Defense Mechanisms 160 UDP Port Randomization 160 Query Name Case Randomization 161 DNS Security Extensions 161 Last Mile Protection 167 9 SECURING AUTHORITATIVE DNS DATA 169 Introduction 169 Attack Forms 170 Resolution Data at Rest 170 Domain Registries 170 DNS Hosting Providers 171 DNS Data in Motion 172 Attack Detection 172 Authoritative Data 172 Domain Registry 173 Domain Hosting 173 Falsified Resolution 173 Defense Mechanisms 174 Defending DNS Data at Rest 174 Defending Resolution Data in Motion with DNSSEC 176 Summary 186 10 ATTACKER EXPLOITATION OF DNS 187 Introduction 187 Network Reconnaissance 187 Data Exfiltration 188 Detecting Nefarious use of DNS 189 Detecting Network Reconnaissance 189 DNS Tunneling Detection 190 Mitigation of Illicit DNS Use 193 Network Reconnaissance Mitigation 193 Mitigation of DNS Tunneling 193 11 MALWARE AND APTS 195 Introduction 195 Malware Proliferation Techniques 196 Phishing 196 Spear Phishing 196 Downloads 196 File Sharing 197 Email Attachments 197 Watering Hole Attack 197 Replication 197 Implantation 197 Malware Examples 198 Malware Use of DNS 198 DNS Fluxing 198 Dynamic Domain Generation 202 Detecting Malware 202 Detecting Malware Using DNS Data 203 Mitigating Malware Using DNS 206 Malware Extrication 206 DNS Firewall 207 Summary 210 12 DNS SECURITY STRATEGY 213 Major DNS Threats and Mitigation Approaches 214 Common Controls 214 Disaster Defense 214 Defenses Against Human Error 220 DNS Role-Specific Defenses 220 Stub Resolvers 220 Forwarder DNS Servers 221 Recursive Servers 221 Authoritative Servers 222 Broader Security Strategy 222 Identify Function 223 Protect Function 224 Detect Function 225 Respond Function 226 Recover Function 227 13 DNS APPLICATIONS TO IMPROVE NETWORK SECURITY 229 Safer Web Browsing 230 DNS-Based Authentication of Named Entities (DANE) 230 Email Security 232 Email and DNS 233 DNS Block Listing 237 Sender Policy Framework (SPF) 238 Domain Keys Identified Mail (DKIM) 242 Domain-Based Message Authentication, Reporting, and Conformance (DMARC) 245 Securing Automated Information Exchanges 246 Dynamic DNS Update Uniqueness Validation 246 Storing Security-Related Information 247 Other Security Oriented DNS Resource Record Types 247 Summary 251 14 DNS SECURITY EVOLUTION 253 Appendix A: Cybersecurity Framework Core DNS Example 257 Appendix B: DNS Resource Record Types 285 Bibliography 291 Index 299