1. CloudShield DNS Security Tip Guide, Rev 121113 | Page 1
Enhance your DNS (Domain Name Services) security management by
reading this guide that covers these three topics: security layering, DNS
traffic management to mitigate DDoS (Distributed Denial of Service)
attacks, and understanding the role DNS plays in the growing problem of
advanced malware attacks. This is a must-read for DNS security
professionals that manage large networks.
DNS Security Tip Guide
THREE AREAS FOR BETTER DNS PROTECTION
2. CloudShield DNS Security Tip Guide, Rev 121113 | Page 2
OVERVIEW
DNS security tips to consider
In this guide, we’ll cover three main areas of DNS protection.
Security Layering
Having outer, middle, and inner layer defense mechanisms in place provides in-depth DNS protection.
DNS Traffic Management to Mitigate DDoS Attacks
Security administrators must have a way to manage DNS traffic under heavy load conditions to keep the DNS
infrastructure working under its designed conditions.
The Interaction of DNS and Advanced Malware Attacks
DNS is becoming increasingly known as a vector for advanced malware attacks. It’s imperative for DNS and
security administrators to understand the role of DNS in the growing problem of advanced malware attacks.
1
2
3
DNS protection is crucial
The DNS (Domain Name Services) protocol was created in
1982 as a method to implement a scalable system capable
of automatically mapping the growing number of host
numerical addresses to text-based names.
You might know that DNS was created to replace or
supplant the hosts.txt file. At the time DNS was created,
security was not a core design consideration. Protocols
and services dependent on the DNS architecture are still
evolving rapidly, as evidenced by the issuance of RFC
7075 in November 2013. Periodically, various security
solutions have been proposed, such as DNSSEC (DNS
Security Extensions), which provides authenticity.
DNS is core to the fabric of the Internet and is your
Achilles’ heel. Without DNS service, there is no Skype, no
Facebook, no Twitter, no Instagram, no CNN, and no
Google.
Without DNS, there is no Internet. As critical as DNS is to
the Internet, it remains insufficiently secure and in many
cases, insufficiently robust in the face of protocol-specific
and denial of service attacks. This needs to change.
No silver bullet
Security professionals are familiar with the three main
pillars of information or network security:
Availability: The information must be available at
all times
Integrity: The information shall not be tampered
by non-authorized persons
Authenticity: The information must come from
authentic sources
DNS should be no different and should follow these
same pillars. DNS service must be available provided
with integrity and authenticity. How can this be
achieved?
One thing we must accept up-front; there is no silver
bullet for DNS protection. It is a layered approach
including people, process, and technology. Security
professionals need to understand the type of
infrastructure they are trying to protect, their business
needs, and the threats targeted against their systems.
They must design the infrastructure accordingly and
have skilled people to monitor and manage it.
3. CloudShield DNS Security Tip Guide, Rev 121113 | Page 3
SECURITY LAYERING
DNS security strategy
Your general DNS security strategy should include in-depth protection and a variety of options at each line of defense.
Choose solutions that match your business needs, risk adversity level, and budget. Several companies that had major
customer-impacting DNS outages thought they could handle attack situations through a combination of DDoS filtering
solutions and over-provisioning. Sadly, this is not enough. Consider how you will protect your outer, middle, and inner
DNS infrastructure.
Layer 1
Outer layer DNS defense tactics
There are at least two successful outer layer defense
tactics that have proven successful.
1. If your IT infrastructure includes multiple data
centers, consider spreading out your DNS servers
and using Anycast as a network-wide load
balancer.
2. Use a commercial DDoS filtering or cleaning
vendor. This will reduce the volume of DDoS traffic,
but understand that such solutions seldom
completely stop attacks.
These approaches, both proven successful with ISPs,
can benefit larger enterprises.
Layer 2
Middle layer DNS defense tactics
A middle layer of defense may pertain to a wide range
of verticals depending on the size and scale of their
Internet-facing infrastructure, such as mail and web
servers.
This method involves configuring routers to allow traffic
only from approved IP ranges. This defense may be
impractical if legitimate traffic can come from many
public sources. It is possible to configure routers to not
pass or limit certain kinds of traffic or allow slower link
traffic from likely attacking countries.
The administrative costs of keeping traffic policies
current is a potential downside of this tactic.
4. CloudShield DNS Security Tip Guide, Rev 121113 | Page 4
Layer 3
Inner layer DNS defense tactics
Your inner layer defense is your last stand. A typical large scale DDoS attack can generate 20- to 300Gb of attack traffic
spread across multiple sources. Assuming that your edge routers can forward this amount of traffic, multiple gigabytes of
DDoS traffic will penetrate your outer and middle defenses. Your inner DNS layer of defense must handle the attack.
For example, assume a typical 100 byte DNS query. A 1Gb link has roughly 1,000,000 queries per second (QPS)
capacity. When under attack, DDoS query traffic will skyrocket from thousands to millions of QPS. Your recursive DNS
servers can typically handle 50,000 to 100,000 QPS. Your DNS servers will be overwhelmed and unable to respond
properly. Much of your business might stop when your DNS servers stop working. Multiple, redundant 1Gb links
compound the problem.
There are solutions to protect your inner layer. A truly effective DNS solution will examine traffic before any DNS
processing takes place. All the rejection and limiting of attack traffic should happen before hitting your DNS servers. To do
this, you need a specialized DNS firewall that can:
1. Handle higher volume traffic than your DNS servers
2. Improve DNS response times (some solutions are performance neutral or add latency)
3. Add stateful tracking to recursive UDP (User Datagram Protocol) DNS queries to prevent amplification attacks
and cache poisoning
4. Validate DNS traffic
Specialized DNS firewalls
Just as boundary and application firewalls have evolved to offload security functions from the applications they protect, it
is now time for specialized DNS firewalls to do the same. As attack methods get more sophisticated, your DNS protection
needs to be several steps ahead. The DNS security layering method will help better prepare and strengthen your
infrastructure.
5. CloudShield DNS Security Tip Guide, Rev 121113 | Page 5
Popular methods
Overprovisioning and traffic management with rate
limiting are two of the most popular methods used by
network administrators to protect against distributed
denial-of-service (DDoS) attacks powered by
techniques like DNS amplification and DNS reflection.
Overprovisioning can be as simple as deploying more
machines to increase the capacity of the DNS server
farm in order to support regular traffic load and absorb
peak load generated by an attack. Although this
approach is interesting from the DNS application or
hardware vendor point of view, in many cases this is
not true for the DNS provider.
The reason is that overprovisioning doesn’t mean
simply more DNS servers. It means more rack space,
power consumption, cooling, and additional
complexity and resources for operating and managing
the DNS infrastructure – a big capital outlay. To really
make it work right, additional capital might be required
for load balancing. At the end of the day, you’re just
putting more soldiers out to be harmed instead of
arming them to improve their effectiveness.
The economic factor aside, overprovisioning can
create negative technical impacts. A sample side
effect of adding machines is reduction of overall cache
hit rate and the consequent increase in DNS latency.
DNS rate limiting is commonly considered the most
effective defense against DDoS attacks since it gives
network operators some control on the traffic reaching
and leaving the DNS server farm.
DNS TRAFFIC MANAGEMENT
Rate limiting by source IP address allows setting the
number of DNS queries per time slot that can be accepted
from a particular IP or subnet, blocking any attack or
misuse that sends DNS requests above the configured
threshold.
This throttling mechanism will require the attacker to spoof
a much larger IP address range in order to reach the
query rate necessary for the attack to succeed. Before
enforcing the rate limit rules on your network, you should
test these rules in monitor or test modes where potentially
offending requests are not actually dropped, only logged.
Testing will help identify the traffic patterns of your
network and provide confidence that the rate-limiting rules
will not harm legitimate traffic. Simple rate limiting in this
form might not work for authoritative DNS servers since
the source IP addresses that can reach your DNS server
are unknown. This form is best suited for recursive
servers.
For authoritative DNS servers, we recommend DNS
response rate limiting, available in BIND9. Aggregate rate
limits can also be used to prevent surges in DNS traffic
from flowing through the DNS network.
Method 1
Rate limit by source IP address
3
ways to use DNS traffic
management with rate
limiting for protection
6. CloudShield DNS Security Tip Guide, Rev 121113 | Page 6
Implementing traffic management with rate limiting
CloudShield DNS Defender®
offers several mechanisms for rate-limiting, including those discussed above. Since rate
limiting carries risk, DNS Defender supports monitor or log-only modes so that rules can be safely tested and the results
on real traffic analyzed before being actually enforced on the network. The monitor mode and rule set modifications can
be applied in seconds with minimal impact on traffic.
Flexibility is essential
No matter which type of rate limit you want to use or how you implement it, it’s important to have a DNS defense
infrastructure with the ability to offer and combine all types of rate limiting. This will provide you the flexibility to use any
combination to better protect your DNS service from the ever-changing DNS attack landscape.
The destination IP address rate limit is useful when the
operational load limit of a DNS server is known and you
don’t want to reach this limit in order to avoid
unpredictable and undesirable behaviors caused by an
overloaded DNS server.
By using this type of rate limiting, you can specify the
maximum number of queries that can reach each DNS
server in the server farm, dropping any additional traffic
above this threshold (that would be discarded anyway),
and thus protecting the DNS server from being
overwhelmed by receiving more queries than it can
handle.
Destination rate limiting is also a key to being an upright
member of the community. It prevents you from
becoming an unlimited amplifier in reflection DDoS
(RDDoS) attacks by limiting the amount of upstream
traffic that is sent out.
When more fine-tuned rate limiting is necessary, specify
rules based on DNS query type. There are different
types of DNS queries; some of them are much more
common than others, for example, type A, AAAA, and
pointer (PTR) queries. This type of rate limiting can be
used to block critical deviations from the average DNS
query type distribution that can be considered an
important indication of an attack.
It’s possible, for example, to specify rules to enforce that
a particular IP address or subnet can only send five
requests of type A, two requests of type AAAA, two
requests of type PTR, and one request of the remaining
types. In this last example, the query type rate limit is
used in conjunction with source IP address rate limiting
in order to have fine-grained control over the DNS traffic.
As mentioned with the source IP address rate limit,
running the rules in monitor or test mode before
enforcement mode is strongly recommended.
Method 2
Rate limit by destination IP address
Method 3
Rate limit by DNS query type
7. CloudShield DNS Security Tip Guide, Rev 121113 | Page 7
DNS & ADVANCED MALWARE ATTACKS
1- Initial
Recon
2- Initial
compromise
3- Establish
foothold
4- Escalate
privileges
5- Internal
recon
6- Move
laterally
7- Data
exfiltration
Use of DNS for advanced malware attacks
Hype around advanced malware attacks, sometimes referred to as
APT, or Advanced Persistent Threats, got some boost in February
2013 following the release of the APT1 report by security company,
Mandiant.
Based on seven years of research, data collection, and analysis of
information from nearly 150 organizations all around the world, the
report concludes that the APT1 group behind the long-running and
extensive cyber-espionage campaign is likely sponsored by the
Chinese government.
Not surprisingly, this report has a whole section regarding Domain
Name System (DNS), revealing the domain names and zones
registered and used by the group during the attack.
An important piece of the puzzle
Almost every step on the advanced malware life cycle relies on some
sort of DNS manipulation.
Although DNS is mainly used to hide the IP addresses of the remote
servers used by the attacker, its use goes far beyond that.
From source of information to an available channel for external
communication, there are several malicious ways of using DNS in an
APT attack.
Figure 1
The figure to the left shows the steps of an advanced malware attack
using the DNS protocol.
8. CloudShield DNS Security Tip Guide, Rev 121113 | Page 8
1
Initial reconnaissance
The fact that DNS stores the addresses of important
elements of the network infrastructure, like mail and
web servers, makes it an important source of
information for attackers to help map the victim
network and identify possible targets.
In some cases, due to misconfigurations or
vulnerabilities on the DNS server, attackers may also
access internal information about the network and its
devices.
2
Initial compromise
For the initial compromise step, the most common
tactic is email phishing. An email with a specially
crafted message is sent to specific individuals in a
targeted organization that contains a malicious
attachment, downloadable file, or link to a website.
In all this cases, DNS is used to find the IP address
associated with the link in the email or embedded on
the malicious document, pointing to the remote
server where the malware is located.
3
Establish foothold
This step is accomplished by installing backdoors
and making an outbound connection to establish a
command and control (C&C) channel back to the
attacker’s computer outside the network.
C&C channels can leverage several techniques to
stay under the radar, like the use of well-known and
commonly used UDP/TCP ports, by encoding or
encrypting the communication and also using “non-
suspect” protocols like HTTP and DNS.
6
Move laterally
With some credentials in hand, the attacker expands
control over other machines on the network, moving
closer to systems with access to target or valuable
information.
5
Internal reconnaissance
After expanding control over the initially compromised
machine, the attacker needs to perform an internal
reconnaissance to locate the targets.
Again, DNS can play a malicious role by providing
useful information for the attacker to help identify and
locate important resources on the network.
4
Escalate privileges
After initial access to the victim machine, the attacker
uses operational system commands and other tools
to gather information on both the machine and the
network.
The goal is to find credentials to bypass systems
controls and allow access to other resources on the
network.
9. CloudShield DNS Security Tip Guide, Rev 121113 | Page 9
How can you turn DNS into an ally against APTs?
Ironically, the fact that attackers rely heavily on DNS to accomplish several tasks during an advanced malware incursion
is exactly what allows it to be used as an important defense against this type of attack.
DNS data analysis, domain name blacklisting powered by external threat intelligence feeds, and policy enforcement for
DNS traffic are some of the techniques that can be used to detect and block malicious activities on the network.
Advanced malware attacks are complex and always evolving. A comprehensive set of resources is required on the
defensive side to provide the capabilities to detect and defend. Specialized DNS firewalls like CloudShield DNS
Defender®
, coupled with advanced data analysis tools, are an important piece of this defense strategy.
Summary
The DNS Security Tips Guide has covered the importance of DNS and three ways to help mitigate the risk of business-
disrupting attacks on your DNS infrastructure:
1. A layered DNS security strategy
2. DNS traffic management to handle Distributed Denial of Service (DDoS) attacks, and
3. The role of DNS in the growing problem of advanced malware attacks.
Understanding these will enable you to be a better DNS and/or security administrator and determine ways to ensure the
strength and resilience of the DNS technology upon which your business depends.
With this information in hand, you can search for solutions to enhance your DNS infrastructure.
7
Data exfiltration
The final goal of the attacker is to get access to sensitive or confidential information, like intellectual property,
personally identifiable information (PII), and credentials. When this information is finally found, the attacker needs to
find a way to send it outside the network. Standard protocols like FTP and custom protocols can be used to
accomplish this task. DNS is one available protocol that can also be used for this purpose.
10. CloudShield DNS Security Tip Guide, Rev 121113 | Page 10
DNS DEFENDER
CloudShield DNS Defender®
is an enterprise and carrier-grade DNS security and performance enhancement solution.
Unlike traditional firewalls or other network security appliances, DNS Defender is specifically designed to protect against
DNS attacks, enhance overall DNS performance, and have the flexibility to add custom security counter measures for
carriers, ISPs, and large organizations.
The best defense policy that
protects your Achilles’ heel, or DNS,
must be intelligent and go beyond
surface-level security. DNS
Defender is engineered with 6
layers of DNS security. Each layer
is uniquely specialized to protect
against specific types of DNS
attacks.
PERFORMANCE
DNS Defender accelerates DNS
performance with responses to valid
queries from a fast cache,
answering DNS queries at line
speed up to 250,000 requests per
second. If volume exceeds cache
capacity, queries are dropped with
no impact on DNS servers.
Your DNS solution should help
mitigate attack risk by allowing you
to add security counter measures as
needed. DNS Defender enables you
to build custom defenses against
real and potential cyber assaults
you may see coming through your
threat operation centers.
SECURITY
®
FLEXIBILITY
BENEFITS
Performance = Competitive advantage
Can reduce the size and complexity
of DNS server farms
Postpones or eliminates DNS
infrastructure upgrades
Provides DNS security without
expensive equipment redundancy
BENEFITS
Flexibility = Rapid threat response
Rapidly mitigate risk within hours
by identifying, understanding,
and defending against the threat
with custom security
countermeasures
Configurable DNS-oriented
access control lists (ACLs)
Enables administrative
management of specify query
type, DNS flags, and domain
names subject to blocking,
filtering, or redirection
BENEFITS
Security = Peace of mind
The dollar value of preventing just
one attack can provide immediate
return on investment
Can reduce costs and risks of
liability, extortion, and other
impacts from attacks and intrusion
Can slash support costs from
customers caused by DNS slow-
downs and outages
11. CloudShield DNS Security Tip Guide, Rev 121113 | Page 11
Get more information
» Cybersecurity Blog: Experts share tips, advice, and
opinions.
» DNS Use Cases: Four customers share their
stories.
» Comparison Chart: See the differences between
technologies.
» Infographic: Tells the story of the DNS vulnerability
problem.
Talk to us
If you have questions about CloudShield DNS
Defender and want to speak with our team, please
fill out our Contact Us form online.
NEXT STEPS…