DNS Server
Why DNS logging?
DNS traffic is one of the most important logging for continuous network security monitoring. DNS requests will be sent whenever you are sending an email or browsing a website. Therefore, with DNS logging, we can easily identify email from known phishing domain, known phishing URL, access to known malicious C2 domain and even Typosquatting domain.
In addition, there are tons of malicious ways which leverage standard DNS query to transfer payload, establish covert channel and data ex-filtration. Some interesting tools and exploits methods includes dnscat2, PowerCloud, HITB DNS’ ex-filtration presentation, Defcon Russia DNS payload for metasploit, DNSExfiltrator, Cobalt Strike’s DNS Beacon and SIGRed (CVE-2020-1350)
What Is DNS Spoofing?
DNS spoofing occurs when a particular DNS server's records of "spoofed" or altered maliciously to redirect traffic to the attacker. This redirection of traffic allows the attacker to spread malware, steal data, etc.
For example, if a DNS record is spoofed, then the attacker can manage to redirect all the traffic that relied on the correct DNS record to visit a fake website that the attacker has created to resemble the real site or a different site completely.
How does normal DNS communication work?
A DNS server is used for the purpose of resolving a domain name (such as keycdn.com) into the associated IP address that it maps to. Once the DNS server finds the appropriate IP address, data transfer can begin between the client and website's server. The visualization below shows a how this process takes place at a high level.
Once the DNS server finds the domain-to-IP translation, it will cache it so that upon subsequent requests for that domain, the DNS lookup will happen much faster. However, this is where DNS spoofing can become a real problem since a false DNS lookup can be injected into the DNS server's cache thus altering the visitors' destination.
How does DNS spoofing work?
DNS spoofing is an overarching term and can be carried out using various methods such as:
DNS cache poisoning
Compromising a DNS server
Implementing a man-in-the-middle attack
However, an attacker's end goal is usually the same no matter which method they use. Either they want to steal information, reroute you to a website that benefits them, or spread malware. The most discussed method to perform DNS spoofing is using cache poisoning which we'll explain next.
DNS cache poisoning
Since DNS servers cache the DNS translation for faster, more efficient browsing, attackers can take advantage of this to perform DNS spoofing. If an attacker is able to inject a forged DNS entry into the DNS server, all users will now be using that forged DNS entry until the cache expires. Once the cache expires, the DNS entry will return to normal as the DNS server will go through the complete DNS lookup process again. However, if the DNS server's software still hasn't been updated, then the attacker can replicate this error and continue funneling visitors to their website.
DNS cache poisoning can also sometimes be quite difficult to spot. If the malicious website is very similar to the website it is trying to impersonate, some users may not even notice the difference. Additionally, if the attacker is using DNS cache poisoning to compromise one company's DNS records in order to have access to their emails for example, then this may also be difficult to detect.
How to prevent DNS spoofing
As a website visitor, there is not much you can do to prevent DNS spoofing. Rather, this falls more in the hands of the actual DNS provider that is handling a website's DNS lookups as well as the website owner. Therefore, a few tips for site owners and DNS providers includes:
Implement DNS spoofing detection mechanisms - It's important to implement DNS spoofing detection software. Products such as XArp help product against ARP cache poisoning by inspecting the data that comes through before transmitting it.
Use encrypted data transfer protocols - Using end-to-end encryption via SSL/TLS will help decrease the chance that a website / its visitors are compromised by DNS spoofing. This type of encryption allows the users to verify whether the server's digital certificate is valid and belongs to the website's expected owner.
Use DNSSEC - DNSSEC, or Domain Name System Security Extensions, uses digitally signed DNS records to help determine data authenticity. DNSSEC is still a work in progress as far as deployment goes, however was implement in the Internet root level in 2010. An example of a DNS service that fully supports DNSSEC is Google's Public DNS.
Summary
DNS spoofing can cause quite a bit of trouble both for website visitors and website owners. An attacker's main motive to carry out a DNS spoofing attack is either for their own personal gain or to spread malware. Therefore, as a website owner, it's important to choose a DNS hosting provider that is reliable and uses up to date security mechanisms.
Furthermore, as a website visitor it's just as important that you "be aware of your surroundings" in a sense that if you notice any discrepancies between the website that you were expecting to visit and the website that you are currently browsing, you should immediately leave that website and try to alert the real website owner.
DNS traffic analysis is commonly used to:
Discover unknown devices that appear on the network;
Monitor critical devices that have not issued a query within a predefined time window;
Detect malware from young/esoteric domain lookups or consistent lookup failures; and
Analyze host, subnet, or user behavioral patterns.
Reference Links
Last updated
