The domain name system is incredibly vulnerable, but at the same time it can be your biggest ally in detecting threats.
Talking to Cricket Liu, chief DNS architect at Infoblox, he pointed out the that the major flaws that hit the DNS, most notably the Kaminsky flaw of 2008, were often just cache poisoning and the “plumbing” of the internet does not get the attention of security that it deserves.
With other flaws, some are implementation flaws so we patched them and they were gone, while the Kaminsky vulnerability is systemic in DNS. “The best we could do is patch it as we could not fix it as at its heart, it has design limitations in DNS,” he said. “So what we did was effectively add randomisation to it. The problem is that what the Kaminsky vulnerability pointed out that is that if you are matching a response and spoofing it, the one major piece of randomness is a Message ID that is only 16 bits, so with a lot of guesses, you get a lot of opportunities.”
I asked Liu if the DNS is on the radar of security; and he said that often, the attacks on it are about cache poisoning, and when it is done successfully, it leaves no evidence other than the fact that a group have been redirected to a different website.
He said: “Usually it is breaking registrar accounts which is not cache poisoning, or it is secured with lousy passwords. But on another level, we see DDoS attacks on the DNS infrastructure as it is prominent and high value as you can knock them off the internet and everyone knows where they are.”
He admitted that as DNS is the plumbing of the internet, “people assume it works and only pay attention to it when it goes bad”, but we are reliant on DNS and when it goes wrong, we all feel it. “A lot of organisations do not run their own mainframe and there is not a lot you can do but use a registrar and you are at the mercy of their security,” he said.
So this system is vulnerable to DDoS, vulnerable to cache poisoning, vulnerable to flaws that cannot be fixed and used by third parties whose security we are reliant on. So how can there be any positives in this? Liu had an answer – users can use the DNS to identify when they are under attack and use a name server which can thwart attacks.
“There are two things that users are concerned about: that they are under near constant attack and there are lots of infected devices,” he said. “At this point, most organisations which are completely draconian on prohibiting non-company owned devices have to resign themselves that there are infected devices to the clean side of the network.”
Liu said that the DNS is a more combative place for malware; you cannot prevent the attack but you can neuter the malware and prevent it from doing any damage as it cannot talk to its command and control server (C&C) and does not know where to exfiltrate data to.
He said that having spent time with CISOs on that point, he had seen tremendous uptake and success in doing that, as you have a real time feed of data that informs people on the latest threats and latest active drop servers and C&Cs, and see what is being used maliciously.
He said: “The name server is a better place to identify threats than the firewall as malware uses the DNS to jump around IP addresses that have nothing associated with them, and can move as quickly as a person who can evade the firewall.
“To a firewall, it looks like it is coming from name server and cannot triangulate the original query and the client talks to us so it look so we can identify the infected client.”
I asked Liu where DNS security goes now? He said that we patched over the Kaminsky vulnerability, we do need to completely fix the cache poisoning opportunity and the only way to do it is with DNS security and security extensions which add cryptographic security to DNS and allows you to digitally sign the known data.
He acknowledged that the adoption of DNS SEC has been pretty slow, so I asked him if the better solution was to replace DNS with a new and improved version, as with IPv6? He said that this would be very difficult to do, as SSL benefits from a negotiation between the client and server and there is nothing like that with DNS.
“Upgrading across the internet is a gargantuan task with compatibility considerations, it is hard to fathom how hard it would be,” he said. “It is not like it is not a good idea, but the process is incredibly daunting.”
Cricket Liu, chief DNS architect at Infoblox, was talking to Dan Raywood