top of page
  • Writer's pictureNisarg Naik

What you don't know about DNS and its risks

There is a popular phrase, that it is always DNS, even when it may not seem that way initially. DNS issues can appear in any shape and form, including some that are often-overlooked security issues.

DNS is the abbreviation for Domain Name System. It continues to be described as the phonebook of the Internet. But many people will be more familiar with the basic workings of DNS than with the outdated phenomenon of paper phone books.

Additionally, DNS does more than convert words into numbers. Allows the domain owner to answer questions from which they do not know the answer, such as domain mail servers or public key used by DKIM. In some cases, DNS is used to provide a specific response, to prove domain ownership.

DNS security is therefore critical to Internet performance today. The bad news is that out of the CIA security triad - confidentiality, integrity, and discovery, DNS offers nothing.

DNS requests and responses are sent explicitly so that your ISP or other organization can see where the request is coming from by tapping Internet cables that can detect requests being made from your devices. And they can change the answers or block them altogether.

This type of research is not the end of DNS security concerns, however. Changing DNS responses when someone tries to access a banking or webmail site can make it a successful phishing scam. Thankfully, the availability of HTTPS along with the related processes means that in such cases the browser will usually drop the error, rather than display a fake website.

When a DNS is requested, the answer ultimately comes from the so-called authorized name server or server that is authorized to provide DNS responses. Using the domain registrar's interface (the business in which the domain is registered), the domain owner can assign one or (usually) multiple servers to be authorized. They can also set responses to be given - for example, what is the IP address of the hosted website or its mail servers.

The security risk here is "see." What if it is not the domain owner but a powerful person or business who has access to the registrar's visual interface?

As mentioned, being able to send users to a fake website is often not enough to criminalize them due to the other protections available. But it turns out that many of these protections eventually rely on DNS as well.

In particular, to obtain a TLS certificate, which is used to verify browsers that an HTTPS-supported website is genuine, one needs to be able to send a specific DNS response, host a specific file on the website, or reply to an email sent to a domain address. Here the enemy needs to be able to control all DNS responses, not just those sent over a particular network, but that is what happens when they link the account to the registrar. Only short-term access will suffice here.

Although there are ways to protect the accounts of the registrar, (Used to prove the authenticity of two things is obvious.) Protecting from internal attacks on the registrar is very difficult. Those organizations in which these types of attacks are most dangerous may want to consider running their authoritative servers to at least completely control their DNS security.

That doesn't stop the enemy from accessing the registrar's account from switching authoritative servers (which can make backing up any changes much more difficult), but this is where the registration lock can make a big difference.

DNS are screws that hold the Internet together. The latest additions have made it much safer. But there is always a weak point that can easily be overlooked that could put the Internet at risk. Any organization that is security-oriented must pay more attention to DNS issues.

28 views0 comments
bottom of page