The Internet Superhero

Improving Network Security Using DNS Traffic Manager

Published 14/02/2018 in Internet Security - 0 Comments
DNS Traffic Manager as a way of mitigating network security

Domain Name System: An Overview

DNS traffic manager works by monitoring the DNS communication protocol

Illustration of how DNS protocol works

Domain Name System (DNS) is the backbone of the internet as we know it today. Most users don’t give a thought about the gears that move below the surface when they click on a website’s URL.  DNS is what enables an endpoint to reach the necessary servers that are hosting the different services the user needs to access. It works by translating fully qualified domain names (FQDN) such as www.google.com into the IP addresses. These addresses can then be routed through the internet to the servers that host the service. Therefore, DNS is a very important network protocol without which would make use of the World Wide Web impossible. Just like any protocol, DNS enables communication through sending of packets which you can inspect using a DNS traffic manager.

Since DNS enables communication, threat actors have identified it as a blind spot in network security. This was illustrated in the Cisco Annual Security Report, a compilation of security incidents and threats that network security professionals need to know. It identified that most data breaches that occurred within medium and large networks in the year 2016 were made possible through DNS exfiltration.

Vulnerabilities in DNS

A DNS Traffic Manager should spot and prevent DNS spoofing

One of the major ways that these attacks are carried out is by DNS spoofing. DNS spoofing is a term that is used to describe a situation where a threat actor inputs the wrong DNS addresses into a host computer using a Trojan. These DNS addresses point to name servers that are under the control of the threat actor. This means that at any time the host computer needs to perform a name resolution for an FQDN the DNS addresses will always point the host computer to the wrong name resolvers.

These name servers can infect the host computer with malware. In other cases, the can even make the host a part of a bot network that is used to attack other hosts on the internet.

DNS Traffic Manager

DNS Traffic

The idea behind DNS traffic manager is to ensure that the DNS addresses within a network are the correct ones. It makes sure that these addresses are not spoofed.

Another major functionality in DNS traffic manager is the inspection of DNS traffic. DNS operates by using queries and responses. The host computer sends the authoritative name server a query asking for the IP address of a certain FQDN. The authoritative name server then responds with the IP address of the FQDN.

This process of queries and responses are often abused by threat actors to exfiltrate data out of a compromised computer. For instance, if the threat actor has already spoofed the DNS address of the host computer and now wants to send the data on the computer to an outside host. The actor can use DNS to achieve this.

The actor can tunnel the data using a DNS packet. A non-suspecting user will see that the host is trying to communicate with a DNS name resolver. However, in actual sense, the data has been segmented into different DNS queries. These queries will thereafter be reassembled back in order by the threat actor. The DNS traffic manager has functionality that enables it to inspect every single DNS packet that leaves the network. This ensures that there is no data being tunneled through the DNS packet.

DNS Open Resolvers

Another big threat that DNS possess to network security is through DNS open resolvers. DNS open resolvers are name servers that can be accessed by anyone on the internet. An example of an open resolver is the Google open resolver 8.8.8.8.

An open resolver will always respond to a query by a host, unlike private name resolvers. Private name resolvers only respond to queries from within their internal network block. What this means is that DNS open resolvers can be used in Denial of Service (DOS) attacks. These attacks often happen when a threat actor is able to spoof the IP address of a certain host. In most cases, the IP address belongs to a server that is providing a certain service.

The threat actor sends a lot of DNS queries to the open resolver. The spoofed IP address makes it appear like the server is querying the open resolver for certain FQDN. The resolver then responds with the responses overwhelming the server. This will prevent the server from processing genuine requests from users who need service from the server.

Microsoft Azure Traffic Manager

A commercial example of a DNS traffic manager is the Azure Traffic Manager. Azure was designed to protect networks from the vulnerabilities that DNS protocol has. The Azure traffic manager acts as a go-between the recursive name resolver and the authoritative name resolvers. Recursive name resolvers are often found in private networks that perform the local name resolution. On the other hand, authoritative name resolvers are the DNS servers that actually store the name records that are later on sent to the recursive name resolver.

Microsoft Azure is a DNS Traffic ManagerAzure traffic manager confirms the health of the authoritative name resolvers that perform the name resolution. This is done before the resolvers send responses to the recursive name resolvers. It also inspects traffic and confirms the caches in the recursive name revolvers and the host’s browser. The aim behind is to ensure the caches have not been poisoned.

How Azure Traffic Manager Prevents DNS Cache Poisoning

DNS cache poisoning is another method of attack that is often utilized by hackers. Once a host’s browser has found the IP address of a certain FQDN, the DNS lookup is not performed again. The results are stored within a browser cache. The cache will be looked up in case the host needs to access that FQDN. DNS cache poisoning changes the records within the cache to other IP addresses. These addresses are later used to redirect the host’s traffic. The usual intention is to deliver malware to the host by sending the host’s DNS requests to an infected website.

Azure traffic manager maintains a copy of the DNS cache. It checks the host computer and name resolver often to ensure that the cache has not been poisoned.

Other DNS Traffic Managers

DNS Traffic Manager as a way of mitigating network security

Domain Extensions

Currently, there aren’t a lot of open source DNS traffic managers that can be used to inspect DNS traffic within a network. There are however useful logging tools that can always be used to inspect DNS traffic. This is to ensure the validity of the queries and the responses within a network. Examples of such tools include Wireshark that can be used to inspect DNS packets. Dropping responses from open resolvers especially in the case of servers can help to prevent DOS attacks. DNS traffic manager is a useful tool that can be used to prevent the use of DNS in network security attacks.

No comments yet

Leave a Reply: