A Demonstration of Practical DNS Attacks and their Mitigation Using DNSSEC

A Demonstration of Practical DNS Attacks and their Mitigation Using DNSSEC

Israr Khan (Letterkenny Institute of Technology, Letterkenny, Ireland), William Farrelly (Department of Computing, Letterkenny Institute of Technology, Letterkenny, Ireland) and Kevin Curran (Ulster University, London, UK)
DOI: 10.4018/IJWNBT.2020010104
OnDemand PDF Download:
No Current Special Offers


The authors implement common attacks on a DNS server and demonstrate that DNSSEC is an effective solution to counter DNS security flaws. This research demonstrates how to counter the zone transfer attack via the generation of DNSSEC keys on the name servers which prevent attackers from obtaining a full zone transfer as its request for the transfer without the keys was denied by the primary server. This article also provides a detailed scenario of how DNSSEC can be used as a mechanism to protect against the attack if an attacker tried to perform Cache Poisoning. The authors ultimately show that a DNSSEC server will not accept responses from unauthorised entities and would only accept responses which are authenticated throughout the DNSSEC chain of trust.
Article Preview

1. Introduction

DNS is a critical part of network and internetwork infrastructure. However, it is vulnerable, and attackers have exploited vulnerabilities within the protocol to launch various kinds of attacks against it (Gupta, 2018). The DNS protocol does not provide origin of data for authenticity and it also lacks the mechanism to provide data integrity. Taking advantage of these vulnerabilities, the attackers can forge the DNS records and direct legitimate clients to malicious domains to fulfil their own vested interests. To overcome the problems of origin authentication and data integrity, DNSSEC was proposed. It is the result of focused and continuous efforts of the security communities to secure the DNS protocol (Krishnaswamy et al., 2009). DNSSEC solves these vulnerabilities wherein security parameters are added to the DNS responses from the server which allows the client to verify that the responses originated from the intended server and that the data in the responses is not forged. Over the past decade, attacks on the Internet and private networks are on the rise. Attackers look for vulnerabilities within protocols and software, which in turn assist them in exploiting those vulnerabilities to launch attacks (Stergiou et al., 2016; Tewari & Gupta, 2017; Memos et al., 2017). Two of the most fundamental and popular attacks against the DNS protocol are Cache Poisoning and Man-in-the-Middle (MITM) attacks. In a Cache Poisoning attack, the DNS server is manipulated in a way so that it accepts and stores false data in its cache. This data does not come from an authoritative DNS server but instead it comes from a malicious user who tries to corrupt the DNS server cache by providing false information. Best practice for DNS server administrators is to randomize the UDP source port number from which caching DNS servers send out query packets as a mitigation against cache poisoning attacks. In effect, the UDP port used for a query should not be the default port 53, but instead a port randomly chosen from the entire range of UDP ports (less the reserved ports). This UDP source port randomization (SPR) makes it more difficult attackers to guess query parameters (RFC5452, 2009).

Once the DNS server cache has been corrupted, the false information will remain in the cache until the Time to Live (TTL) expires. This attack has adverse effects on the clients wanting to access the domain names from the servers. DNS data that is provided by name servers lacks support for data origin authentication and data integrity. This makes DNS vulnerable to man in the middle (MITM) attacks, as well as a range of other attacks (Ariyapperuma and Mitchell, 2007). In MITM attacks, an attacker can intercept and modify the network traffic between the resolver and the server. This occurs because the DNS protocol does not provide integrity checks and hence it is possible for the attacker to intercept and modify the data within DNS requests or responses. In 2018, a major DNS spoofing attack left the MyEtherWallet (MEW) service compromised (Nation, 2018).

Complete Article List

Search this Journal:
Open Access Articles
Volume 10: 2 Issues (2021): 1 Released, 1 Forthcoming
Volume 9: 2 Issues (2020)
Volume 8: 2 Issues (2019)
Volume 7: 2 Issues (2018)
Volume 6: 2 Issues (2017)
Volume 5: 1 Issue (2016)
Volume 4: 3 Issues (2015)
Volume 3: 4 Issues (2014)
Volume 2: 4 Issues (2012)
Volume 1: 4 Issues (2011)
View Complete Journal Contents Listing