DNS spoofing – How to prevent it?

The creation of the Domain Name System (DNS) in the early 1980s was a big achievement. Its design considered a vast functionality, but security was not a priority almost four decades ago. The problem is that criminals knew it, and soon they took advantage of this weak point. Criminals developed different attacks using the DNS, like the dangerous DNS spoofing. 

What is DNS spoofing?

DNS spoofing is a hacking attack. Criminals enter spoofed or forged entries or DNS records into the cache of a recursive server to respond to DNS users’ queries with a spoofed record, for instance, a forged IP address. This way, legit traffic is maliciously directed to dangerous destinations (forged websites). Once there, users can be pushed to type sensitive data (passwords, bank card details, etc.) for criminals to take advantage of later.

How to prevent DNS spoofing?

Almost forty years have passed since the DNS creation. Attacks have become more harmful. And with the migration of more offline services to the online world, users’ sensitive data are strongly at risk every day. As a website owner, to protect users’ security is essential not to lose trustability and clients! 

Monitor and Filter the DNS traffic exhaustively.

Currently, different software alternatives for scanning all data received are available. Data are not sent unless they pass through this scanning. If the software detects something wrong, data will be stopped.

Filtering has proved to be an efficient method to detect attacks. There are different solutions on the market. Quality ones offer two-way traffic filtering at different levels like DNS, HTTPS, and HTTP.

Protect your DNS by adding DNSSEC.

DNSSEC or Domain Name System Security Extensions verifies the authenticity of the data. This suite includes digital signatures, advanced cryptography, and more methods for validating answers to domain name requests. DNSSEC makes sure that malicious redirections don’t happen.

Encryption is an efficient tool for protecting DNS data integrity, meaning DNS requests and answers. Encryption involves the use of two keys, a public and a private one. Without the private key that is in the hands of the website’s owner or administrator, criminals can’t sign their spoofed DNS records. Even if they manage to enter them into the cache, those forged records won’t be validated by the public key.

Patch regularly your DNS servers.

Not only endpoints but servers also have vulnerabilities that can be fixed by patching them. To keep patching up on time can save you problems. There are tools for automating this process. 

Prove if the authoritative name server matches what is locally answered.

In the past, many requests needed validation of their PTR (reverse) records. But the practice has become rare. The advantage of this validation is that if the authoritative name server gives a different answer than what is locally answered, the DNS packet gets an invalid mark. TCP/IP protocols can see this and be aware of the spoofed packet, not to allow it. Unfortunately, this doesn’t work yet for HTTP requests.

Users also can prevent DNS spoofing. Remember, their sensitive data are the main target of criminals.

  • Use VPN (a virtual private network), especially if you will send sensitive data. Public networks are too risky. 
  • Look for security and authenticity signs on websites before you type any data. The padlock symbol on the address bar is a good beginning.
  • Avoid strange links. Not clicking blindly can save you from dangerous traps.

Conclusion.

DNS spoofing is a big threat for website owners and users. Security technology and safe practices are a good combo to prevent it!

Use DNSSEC to boost your security.

As you know, the Domain Name System (DNS) infrastructure is the soul of pretty much everything on the Internet. There’s no web hosting, e-mail or messaging services, etc., that can exist online without the DNS.

And being that important, yes, the DNS has its Achilles heel: security. Its focus is not there, and that makes it vulnerable. But don’t worry, DNSSEC already exists! A reliable choice to boost security!

What is DNSSEC?

DNSSEC or Domain Name System Security Extensions is a suite of extension specifications for encrypting DNS records sets and proving the original authoritative nameserver. It’s not about cryptographically signing DNS requests and answers but directly signing DNS data by their owner.

Then, if a criminal (man-in-the-middle) manages to snatch these DNS records, they will be unreadable due to the encryption.

DNSSEC serves for authentication, too, through digital signatures that use public-private key cryptography combinations. Each DNS zone owns its key pair (public/private).

A big DNSSEC advantage is it covers every domain’s level. From the very top, the root, all the way down to the hostname. It builds sort of a chain of trust all across the DNS tree. Every level up verifies the one below through the combined use of the public and private keys. If there’s a failure on one of the levels, the chain gets broken. Therefore data is considered unreliable.

Let’s try an example of the hierarchical digital authentication DNSSEC practices. Think about an exampledomain.net lookup. .Net nameserver authenticates the zone below, which is exampledomain.net

DNSSEC DNS record types.

DNSSEC adds the following DNS records in order to enable signature validation. 

DNSKEY. This record holds the public key that can verify RRSIG.

DS. It’s a delegation signer, and it contains the DNSKEY record’s hash and is put in the parent zone to verify the one under. 

RRSIG. It holds the signature for the recordset.

NSEC, NSEC3. Used for denial-of-existence of a DNS record, and to link to the next secure record.

How does DNSSEC boost security?

DNSSEC boosts your security, providing you with the tools (suite) to ensure that DNS records are not altered. This strengthens your protection and decreases the chances for criminal attempts like DNS cache poisoning. When a criminal manages to alter DNS records on the fly, the client receives them and gets dragged to a different server controlled by the criminal. 

Besides, DNSSEC allows you to authenticate the source of DNS data. By now, you should know about the frequency and different techniques criminals use to attack the DNS. This authentication feature is really significant. To have the certainty that data really belongs to the source they claim to be, meaning to the right authoritative name server, is gold. This reduces the chances of fake servers operating successfully.

If you activate DNSSEC, DNS recursive servers can authenticate data they work with really come from a legit source, so it’s reliable. Fake data will be discarded. And if by any chance the recursive can’t authenticate data, they won’t use them to keep the security. They will retry the authentication process to avoid the use of unreliable or forged data.

Conclusion.

The use of DNSSEC to keep the DNS security is a good decision. Online risks and direct attacks to the DNS are not uncommon nowadays. Of course, DNSSEC costs, but you know that prevention always will be cheaper than the cost of fixing the unfortunate consequences of a criminal attack.