DNS - Part 2

Secure your DNS to avoid losing business – Part 2

What happens when DNS doesn’t work?

Of course, having a non function DNS causes problems. We have to differentiate between two types of disruptions which have as consequence that the DNS resolution doesn’t work anymore: unintentional and intentional.

Unintentional disruption

In this case, nobody intentionally caused the issue that prevents the DNS service to function correctly. This can happen because of a configuration error or a hardware failure.  A good IT administrator can deal with it rather fast, especially if there is no change in the IP addresses or domain names (it is about restoring). If there are IP or name changes, even if the problem gets fixed on the source quickly, it takes usually minimum 24h for the changes in the DNS to propagate to enough servers so that someone can feel the difference. Propagation is the way DNS servers exchange information between them so that as many as possible services know how to resolve a certain domain to its IP address. This delay can cause serious problems to your customers and visitors.

Intentional disruption

There are, however, cases when DNS errors are caused intentionally by persons or organizations who want to produce damages to the owner of a domain. This happened many times in the past and even some big companies were hit by this problem (Facebook, Google, Twitter, AVG, Avira, WhatsApp, etc.).

Let’s see how someone can change your DNS records.

Registrar manipulation

DNS is a service, and as any service, there has to be a service provider that offers the infrastructure that host the records (the tables that map a name to an IP address). Such service providers, usually called registrars, are all big ISPs like Comcast, 1&1, Network Solutions and so on. If one of them gets hacked then it is possible to alter the DNS records for any of the domains hosted there. In the past 12 months a couple of big registrars were hacked and this resulted in downtime for many domains.

This attack has potentially global consequences since, most of the time, authoritative DNS servers are affected.

Cache poisoning

DNS cache poisoning or DNS Spoofing, is a complex attack because it targets a certain audience. It is directed against the users that are dependent on the attacked service.  This can happen after an attacker is successfully injecting malicious DNS data into the recursive DNS servers that are operated by many other ISPs. The attacker usually chooses the DNS servers that are the closest to the targeted users from a network topology perspective. The best way to prevent this type of attack is to use DNSSec. If this is not possible, another way to protect the DNS records is to restrict their propagation to only servers that prefer to get fresher information from the Internet instead of caching an entry for a long time (in order to save bandwidth and time).

Legal DNS takeover

While related to the first case which is illegal, this takeover is completely legal (it is enforced by a court order) and it is performed by the registrar directly without consulting the owner of the domain. Recently, in an incident with domains hosting malware in the U.S., Microsoft managed to obtain legal custody of the DNS entries of the well-known service NO-IP Managed DNS. This had as consequence that thousands of innocent users who used No-IP’s service were no longer able to resolve their domains. The customers were using a form of <user-dns>.no-ip.com and several other hosts to reach their own domains. Without no-ip.com, the base domain, no subdomain worked anymore.

This can happen at any time and in any country because the laws are (still) very blurry in regards to cybercrime and what is allowed and what not.

This post is also available in: German

Avira, a company with over 100 million customers and more than 500 employees, is a worldwide leading supplier of self-developed security solutions for professional and private use. With more than 25 years of experience, the company is a pioneer in its field.