Domain Name Systems (DNS) is a hierarchical naming system built on a distributed database that resolves hostnames such as (www.google.com) into Internet Protocol (IP) addresses (220.127.116.11). While it is simple for computers to understand, read and process such data, it is very difficult for humans to remember. To help solve this issue, a numeric IP address was attached to every domain name and these are stored and accessed on special servers known as domain name servers. The diagram below shows the DNS database organised in an inverted logical tree called the Domain Namespace. Each node in the tree has a special value and the top of the tree is known as the Root (.) and is represented by a period.
When DNS was first introduced and implemented, it was not very secure and later several vulnerabilities were discovered. There are numerous ways in which DNS can be exploited by attackers.
Some types of DNS attacks are:
- Zero-day attack – this is where an attacker exploits previously unknown vulnerability in the DNS server software
- Cache poisoning – an attacker corrupts the DNS server by replacing a legitimate IP address in the server’s cache with another to redirect traffic to a malicious website to collect information or initiate other attacks. It is also referred to as DNS poisoning
- Denial of Service – this type of attack is where a malicious bot sends more traffic to a targeted IP address and this target becomes unable to resolve legitimate requests.
- DNS amplification – an attacker takes advantage of a DNS server that allows recursive lookups and utilises recursion to spread their attack to other DNS servers.
- Fast-Flux DNS – the attacker swaps DNS records in and out extreme frequency to redirect DNS requests and avoid detection.
To help solve these issues a security system was developed in the forms of extensions that could be added to the existing DNS protocols. These extensions were known as Domain Name Systems Security Extensions (DNSSEC).
Join us for next week’s Blog Post when we take a look at Domain Name Systems Security Extensions (DNSSEC).