Security of DNS
What is Domain Name System (DNS)?
DNS stands for “Domain Name System”. It resolves human-readable Internet domain and host names, such as www.example.com, to machine-readable Internet Protocol (IP) addresses like “126.96.36.199” and vice versa. The Internet is an IP network, and DNS acts like a directory or phone book of the Internet. The following illustrates by an example on how DNS works.
- When surfing the Internet, a user simply inputs the domain name e.g. www.example.com. The computer makes a request to the DNS resolver (usually provided by the Internet Service Provider (ISP)) for the IP address of “www.example.com”.
- The DNS resolver forwards the request to the authoritative DNS server to find out the corresponding IP address of the website.
- The authoritative DNS server then resolves the domain name into its hosting IP address and replies to the DNS resolver.
- The DNS resolver returns the IP address of the requested domain to the computer. The DNS resolver also caches this result for another request with the same domain.
- The computer connects to the IP address and directs the user to the website.
Security threats of DNS and impacts
Common Security Risks of DNS
DNS has no built-in security feature and DNS data could be tampered. If the DNS response is tampered, a user might be redirected to a malicious website. If the computer gets infected with malware, the information stored on the computer could be at risk. The following table summarises some common security risks of DNS.
|Security threat||Brief description||Impact on users|
|Typosquatting||Malicious attackers register a domain name that is almost identical to the targeted one with the aim to misdirect users to a malicious site||Infected by malicious code embedded in the malicious site. May lead to data leakage or be further used to launch cyber attacks|
|Denial of service attack||Malicious attackers generate Internet traffic to overwhelm the target DNS server with the aim to degrade or break down the DNS service||May fail to access Internet services due to the degraded performance or unavailability of the DNS service|
|Cache poisoning||Malicious attackers exploit vulnerabilities in DNS servers to inject fraudulent information that can re-route users to a malicious site||Infected by malicious code embedded in the malicious site. May lead to data leakage or be further used to launch cyber attacks|
|DNS spoofing||Malicious attackers impersonate a DNS reply with fake information so as to redirect users to a malicious site||Infected by malicious code embedded in the malicious site. May lead to data leakage or be further used to launch cyber attacks|
How to address DNS threats
To protect from falling victim to DNS threats, measures at different levels could be adopted. At the level of Internet service providers, they should consider adopting Domain Name System Security Extensions (DNSSEC), while users could consider adopting secure DNS-resolving service at their end-device.
Domain Name System Security Extensions (DNSSEC)
Domain Name System Security Extensions (DNSSEC) enhances the security level by validating DNS data of a domain name during the IP address lookup. It uses cryptographic signatures to confirm the DNS data received is genuine. DNSSEC helps ensure (i) data integrity and (ii) authenticated origin of DNS data, and thus helps prevent an attacker from redirecting users (at DNS level) to a fake website. However, it should be noted that the domain should be DNSSEC-enabled and the DNS resolver should be DNSSEC-aware in order to provide the protection.
How does DNSSEC protect an Internet user?
- When a user tries to browse a DNSSEC-enabled domain, the DNSSEC-aware DNS resolver forwards the request to the authoritative DNS server.
- The authoritative DNS server then returns the IP address together with a digital signature.
- The DNS resolver verifies the digital signature to ensure the DNS data is not tampered.
- If attackers intercept the response and pass a fake one to the DNS resolver, the DNS resolver would fail to verify the data and discard the fake information.
Is a Domain DNSSEC enabled?
You may check whether a domain is DNSSEC-enabled by:
- Using the WHOIS service available at https://www.hkirc.hk to check the top-level domain “.hk”.
- Using the DNSSEC analyser available at https://dnssec-debugger.verisignlabs.com/ for other domains.
Secure DNS-resolving service
No matter DNSSEC is enabled or not, a user should protect oneself from falling to the trap of malicious attackers by adopting secure DNS-resolving service. The service would automatically review the domain being requested and block those malicious domains.
How to adopt secure DNS-resolving service?
There are some secure DNS-resolving services available to home users for free, e.g. Quad9 and OpenDNS.
Details on how to configure Quad9 on Windows are available at https://www.quad9.net/#/setup/microsoft
Details on how to configure Quad9 on MacOS are available at https://www.quad9.net/#/setup/apple
Details on how to configure OpenDNS on different platforms such as home routers, Windows and MacOS, and some smart devices are available at https://support.opendns.com/hc/en-us/categories/204012907-OpenDNS-Device-Configuration
Cyber Security Information Portal – Safeguarding your Domain Name with Domain Name System Security Extensions (DNSSEC)
HKIRC - DNSSEC
ICANN - DNSSEC
Internet Society – DNSSEC Basics
Disclaimer: Users are also recommended to observe the Important Notices of this website and read the user agreements and privacy policies of the security software and tools before download and use them.