Before knowing DNS Security, we should know what DNS is and how it works. So first I will write about DNS then I will write about DNS Security.
What is DNS?
DNS stands for Domain Name System. Simply it’s a translator between humans and computer. Because it translates domain name to ip address.
How does it work?
Like human computer doesn’t understand names. It only understand numbers. Here is the basic of how does it work-
Here when we type malwarecare.com on web browser it asks to the DNS server for the ip address of malwarecare.com. Then the DNS search for the ip address in its list. If found then back it to the web browser. Then the web browser make request of the address to web server. Then load the web page into our web browser if web server response. Actually the DNS server works in some steps. Here are the steps-
Here when someone type www.malwarecare.com on the web browser it will go to the DNS Resolver which is provided by ISP. Then the DNS Resolver will search in its cache memory if anyone ever visited the website using the Server. If found then it will return the ip of the desired website to the browser. If not, then it will request the Root Server. But the Root server don’t know anything about ip address. But Root server knows- who knows where the malwarecare.com is. That is TLD Server. There are many TLD servers for .com/.org/.info etc. Root server provides an information to DNS Resolver where the .com TLD server is. Then the DNS Resolver request to TLD Server. But the TLD Server also don’t know anything about the ip of domain. But it keep information about domain. It knows at which Name Server the domain is stored. So the TLD server provides DNS Resolver to which Name Server should go. Then the DNS Resolver request to the Name server for the ip address. Name server knows the ip address of the domain. It search the ip address of the domain and return to DNS Resolver. DNS Resolver stores the information in cache for future use and provides the ip address to the browser.
DNS security means securing every information in DNS including secure the service and the protocol itself.
Securing DNS server: There are many kinds of DNS attack (Cache poisoning, DDOS, DNS tunneling, DNS hijacking and many more) by which hacker may exploits our valuable data. At this point DNS security comes to protect information in DNS. To ensure DNS security we can implent-
DNSSEC: When the topic ‘DNS security’ comes many of us think that DNSSEC and DNS security is same. Actually DNSSEC is a part of DNS security. DNSSEC uses asymmetric cryptography and digital signatures to ensure security in DNS. It can protect against some DNS attack (DNS cache poisoning, DNS hijacking and other DNS attacks) ensuring integrity and authenticity. But DNSSEC can’t protect against DDOS. Here is the workflow diagram of DNSSEC:
The Resolver has DNSKEY which already contains a copy of PUBZSK (Public Zone Signing Key). The root server use the ‘Private Zone Signing Key’ to generate a digital signature known as Resource Record Signature (RRSIG). The PUBZSK (ZSK public key) which already stored in the DNS Resolver is used to authenticate RRSIG. So when the Resolver request to the root server it response with RRSIG (Encrypted Hash of Data) and DS (Hash of the DNSKEY). In Resolver we already have DNSKEY (Public key, decrypts RRSIG). DNSKEY decrypt RRSIG into hash. If the hash is same as DS thenit isvalid and then the Resolver goes to the TLD Server because Root provides the information where the desired TLD server is. The TLD server also response with RRSIG and DS. As DNS Resolver already has the DNSKEY, it decrypt the RRSIG into hash. If the hash is same as DS the Resolver goes to the Name server because the TLD server provides an information at which Name server the domain is stored. Then the Name Server response with RRSIG only and provides the ip of domain. The DNSKEY again decrypt the RRSIG into hash. If the hash valid or same as the trusted anchor DNS Resolver stores the ip address for future use and send it to the browser.
DNS Firewall: A DNS firewall is a solution of Network Security which is arranged to protect users and system from interfacing known malicious internet areas. As this can only block known malicious locations, so still chances to go to a malicious location which is not known to the Firewall. DNS Firewall blocked system and users from connecting threads outside of the network. DNS Firewall works by utilizing RPZs (DNS Response Policy Zone) and ‘threat intelligence data feed’.
Anycast Routing: Anycast is a networking technique where the same ip is advertised from multiple locations. The network then decides where to route a user request based on routing protocol and server availability. Anycast routing reduce latency because it always connect the user to the closest DNS server. It also provides a level of load balancing.
Here Server A, B, C has the same ip address as well as the Name Server. The Name Server can resolve with any of the Server. But, as it always connects the user to the closest server first it will connect with Server A through Router R1. If Router R1 failed somehow it will connect with Server B through Router R2 and R3. Same to the Server C if Server B failed. The Route of Server A will be removed from routing table if Server A fail. It will not be used until it is restored.
Anycast Routing prevents DDOS attack. Because it uses multiple server for same ip address. So when a DDOS attack occurs it distributed multiple server. Thus DDOS is mitigated. Otherwise if one server is down the other servers are still active. So service will not be hampered.
DNS Resolver can also be used for security purpose of DNS. It provides some features like filtering which provides protection against malware. More advanced filtering blocks websites which contain virus. Resolver also provides botnets protection which blocks communication of known botnets.