securing dns environments - fusionlayer.com · security principles, which have been incorporated in...

Securing DNS

Environments

White Paper by FusionLayer, Inc. December 2015

Copyright©2018FusionLayerAllrightsreserved.Nopartofthispublicationmaybereproduced,storedin a retrieval system, or transmitted, in any form or by any means,electronic,mechanical,photocopying,recording,orotherwise,withoutthepriorpermissionofthecopyrightowners.SecuringDNSEnvironmentsbyFusionLayer,December20188Anycommentsrelatingtothematerialcontainedinthisdocumentmaybesubmittedto:

FusionLayer,Inc.

Keilaranta1,02150Espoo,Finland.

orbyemailto:

[email protected]

SECURING DNS ENVIRONMENTS

1

TheInternetwasdesignedwithscalabilityandavailabilityinmind.Atthetime,securityandsafetyofthenetworkinfrastructurewasnotaspressinganissueasitistoday.ThemajorityofpublicandprivatesectorDNSenvironmentsarestillnotDNSSECenabled.

1. IntroductionThe venerablemilitary strategist, GeneralKarl vonClausewitz once suggestedthat possible engagements should be regarded as real ones because of theirconsequences[1].Withtheemergenceofmodernwarfarestrategiesthatactivelyutilizecyberspacetactics,vonClausewitz’smessageisjustascurrenttodayasitwas200yearsago.TheInternetwasoriginallydevelopedwithavailabilityandscalabilityinmind.Atthetime,securityandsafetyofthenetworkinfrastructurewasnotaspressinganissueasitistoday.Asaresult,manymissioncriticalnetworkservices,suchastheDomainNameSystem(DNS)providingname-to-IP-addressresolutionserviceinTCP/IPbasednetworks,haveinherentstructuralvulnerabilitiesintheirprotocol,makingthemeasytargetsforcyberattacksunlessappropriatecountermeasureshavebeentakenpriortotheirdeployment.WheneverahumanreadabledomainnameisusedtoconnecttoanapplicationoveraTCP/IPbasednetwork,DNScomesintoplay.Yetdespiteitsfundamentalrole, the insecuredesignof theDNSprotocolmakes this corenetwork serviceprone to man-in-the-middle, DNS cache poisoning and other similar forms ofmalicious attacks. Due to their nature, these attacks can go undetected forsignificantperiodsoftimewhiledirectingtraffictofraudulentsites.Thisallowstheattackertotamperwiththenameresolutionprocess, facilitatingpharmingattemptsandblockingofselectedservicesatacriticalmoment.ToaddresssomeofthevulnerabilitiesintheDNSprotocolandmitigateanumberof the security issues associated with it, the networking industry has beenworking on developing, fine-tuning and adopting DNS Security Extension(DNSSEC)sinceatleast1993.Whileitsdeploymenthasbeengainingmomentuminthelastnumberofyears,inparticularwiththeRootZonebeingsignedon15thJuly 2010, the fact is that the majority of public and private sector DNSenvironmentsarestillnotDNSSEC-enabled.The reasons for such a lukewarm response to the wide-scale deployment ofDNSSECcouldbethat1) deploying DNSSEC introduces network complexities and operational

challengesthatareyettobeclearlyaddressedand2) DNSSEC alone does not solve all the DNS security problems and instead

should be deployed alongside other measures so as to address a widerspectrumofcyberattacks.

Ontheotherhand,whilesecuritymeasuressuchasthedeploymentofDNSSEC,areeffective in theirown right in improving the trust in theprotocol, to trulyincreasenetworksecurityandeliminatethepossibilityof


2

TheoriginalDNSinfrastructuralenhancementsenvisionedin1983byPaulMockapetris,thefatherofDNS,arestillwaitingotberolledout.

humanerror,DNSmanagementprocessesshouldbeautomated.Inaddition,thishastobetakenonestepfurtherandtheautomatedDNSservicesshouldbevirtualized;soastoyetincreasenetworksecurityandefficiencywhileimprovingdisasterrecoverytactics. In thiswhite paper,we focus on our patent-pendingDNS software appliance-based solution [2], FusionLayer DNS, which automates DNSmanagement andadministrationprocesseswhileaddressingitssecurityissuesoutofthebox.Themainadvantagesofourapproacharesummarizedbelow:1. It provides a simple and secure DNSSEC solution that also includes other

securitymeasures,whichtogetherimproveDNSandnetworksecurity.

2. It automates and streamlines DNS management processes eliminating thepossibility of human error, which is one of the main causes of networkdowntime.

3. The solution, delivered as a virtualization-ready software appliance [3],introducesanewlevelofplatformindependence,asitcanbeinstalledandrunoneitheravirtualmachineorothercomputingplatformalreadyinuse.

2. The Basics of the Domain Name System (DNS) TheDomainNameSystem(DNS)playsamissioncritical role inTCP/IP-basedcommunications. DNS is a hierarchically distributed database used to mapdomainnamestoIPaddresses(nameresolution)andviceversa[4].AllIP-baseddevicesregardlessoftheirusageandlocationrelyontheaccuracyandintegrityofDNSintheirinteraction.In1983,PaulMockapetrisintroducedtheDNSstandardbasedonanarchitecturedesignedwithscalabilityandavailability inmind,with theexpectation that itsinfrastructurewouldbe improvedovertime[5].Theexistingvulnerabilities inthe DNS infrastructure, which weaken the security and trust in TCP/IPcommunications,havebeenwidelyrecognizedsincethelate1990s[6]-[7].Whilethenetworkingcommunities’effortsinaddressingtheseissuesculminatedintheintroduction of DNS Security Extensions (DNSSEC) in 1999, the originalinfrastructureenhancementsenvisionedbyMockapetrisin1983,arestillwaitingtoberolledout.Figure 1 depicts how a local recursive DNS server responds to a query for“foo.example.com”domain.Asthefirststep,theDNSserverchecksitslocalcachetoseeifanentryforthisdomainalreadyexists,storedbasedonasimilarearlierquery.Ifitdoesnot,theserverinitiatesaniterativequeryprocess,startingwiththeroot’sauthoritativeDNSserver,untiliteitherresolvestheIPaddress for the domain name or establishes that the requested domain nameentrydoesnotexist.Ateachpoint,anexternalauthoritativeDNSserverreceivingthequeryfromthelocalrecursiveDNSserver,either:


3

1)respondswithanIPaddressfortherequesteddomainnameifitisauthoritativefor thatzone,2)answerswithadelegationtoanotherauthoritativeDNSserverlocatedclosertotherequesteddomainnameintheDNShierarchy,or3)providesanegativeresponseifananswerto(1)or(2)isnotknown.OncethelocalrecursiveDNSserverhasobtainedanIPaddressthroughthisprocess,itupdatesitscachewiththeentryandforwardstheresponsetotheresolver.

Figure 1: The DNS name resolution procBINDisthemostwidelyusedDNSimplementationontheInternetbuthassomemajorsecurity,administrativeandmanagementshortcomings.

3. BIND and DNS Automation BINDisbyfarthemostwidelyusedDNSimplementationontheInternet.Ontheotherhand,sinceitisbasedonunsupportedopensourcesoftware,ithastobemaintainedandpatchedmanually.UsingBINDforDNSserviceshassomemajorsecurity,administrativeandmanagementshortcomings[8].1. Thelackofadministrativetoolsformanagingday-to-dayDNSroutines,leads

toinputerrorsandDNSdatacorruptionresultinginnetworkdowntime.2. Softwareupdatesandsecuritypatcheshave tobe implementedmanually,

whichisextremelytime-consumingandtedious.

3. TheabsenceofacentralmanagementtoolmeansthatitisimpossibletokeeptrackoftheIPaddressusageacrosstheorganization’snetworkortomonitoruseactivitiesandchangesmadewithintheDNSenvironment.

4. Allserverbackups,synchronizationanddisasterrecoveryactivitieshaveto

bedonemanually,whichincreasesthetimetorecovery.

The solution to these problems is to fully automate DNS management and


4

administrativeroutines.Inpractice,thiswouldmeancentralizingandstreamliningDNSmanagementprocess,providingautomaticdatavalidationandpatchupdatesandimprovingnetworkavailabilityanddisasterrecoverymeasures.All thiswillleadtoamoresecureandstableDNSservice.

4. Secure Architecture of FusionLayer DNS Software Appliance

Inthissection,wefocusontheissueofDNSsecurityandintroducesomeofthesecurityprinciples,whichhavebeenincorporatedinourDNSsoftwareappliance,FusionLayerDNS.Figure2representsthebasicarchitectureofFusionLayerDNS.IthasbeenbuiltonaLinuxoperatingsystem,whichhasbeenspecificallyhardenedandoptimizedforDNSuse.Inordertotrulyenhancethelevelofnetworksecurity,wehaveimplementedvarioussecuritymeasuresnotonlyinthedesignprinciplesbutalsoat theapplicationand theOS level.The threeprinciplesof “Defence inDepth”[9],“LeastPrivilege”[10]and“DefaultDeny”formthefoundationofourDNSsoftwareappliance.

DefenceinDepthistheconceptofprotectingacomputernetworkwithaseriesofdefencemechanismssuchthatifonefails,anotherwillalreadybeinplacetoblockan attack. In practice, this has meant including such measures as encryptedconnections,in-hostfirewalls,IntrusionDetection/PreventionSystems(IDS/IPS)[11],runningserviceswithsecureconfigurations,hardeningtheOSandperiodicbackups.TheIDS/IPSincludedinFusionLayerDNS;asdepictedinFigure3,isinfactthenoveltyofourapproachthathasproventobequiteeffectiveinincreasingDNSsecurity.


5

Figure 3: IntrusionDetection/Prevention System (IDS/IPS) deployed in FusionLayer DNS.

The principle of Least Privilege is concernedwith granular user privileges andrights.Theideabehindthisprincipleistograntasminimalprivilegesaspossibleto permit a legitimate action, thereby enhancing the protection of data andfunctionalityfromfaultsandmaliciousbehavior.Inpractice,thismeansthatinourDNSsoftwareappliancearchitecture,DNSservicesarenotrunasroot,theuser-interfaceandshellaccesshavemultiplelevelsofuseraccountsandeachuserhasspecificrightsandrestrictedprivileges.

TheprincipleofDefaultDenydemandsthatanythingthatisnotexplicitlyallowedisdenied,regardlessofwhetheritisrelatedtoaccess,privileges,security-relatedattributes or other functions. In practice, this involves having a firewall whichblocksallbutexplicitlyallowedconnections,explicitlypermittingshellaccessforusers,disablingallbutnecessaryservicesandremovingallbutnecessarypackages.

ThethreesecurityprinciplesformthebackboneofFusionLayerDNS.WefurtherstrengtheneditsarchitecturebyincorporatingvarioussecuritymeasuressuchasDNSSEC,whichisdiscussedinthenextsection.


6

6. Examples of Malicious Attacks Against DNS Servers

InthisSection,wepresenttwoexamplesofmaliciousattacksagainstDNSServersandtheirconsequences.Figure4depictstheflowofcommunicationsbetweentheclient and the server while a man-in-the-middle or cache poisoning attach isunderway.Oneofthemainobjectivesofaman-in-the-middleattackistoeavesdropon the communication between the servers and forge the responses to DNSqueries, directing Internet traffic to fraudulent sites. Meanwhile, in order toincreaseefficiency,decreasenetworktrafficandimproveresponsetime,recursiveDNSserverstemporarilycachethenameresolutionresponsestheyhaveobtainedforaperiodoftimereferredtoasthe

Figure 4: Vulnerabilities of the DNS protocol.

Time-To-Live(TTL).CachepoisoningoccurswhenfraudulentDNSdataisprovidedandcachedinarecursivenameserver.Asaresultofcachepoisoning,all futurequeriestothe“poisoned”recursiveDNSserverwouldbedirectedtothefraudulentsiteuntiltherecord’sTTLhasexpired.

Figure 5: Asymmetric cryptography and digital signature.


7

7. Mitigating Threats with DNSSEC

DNSSEChasbeendesignedtosolvesomeofthesecurityproblemsassociatedwiththeDNSprotocol.Withthehelpofdigitalsignatures[12],DNSSEChelpsassurethatthedatareceivedhas infactoriginatedfromtheauthorizedsourceandthatthemessage has not been tampered with in any way while travelling through thenetwork. It also provides authenticated denial of existence, proving that therequesteddomainnameentrydoesnotexist.Havingsaidthat,DNSSECdoesnotprotecttheconfidentialityofthedata,nordoesitpreventDenialofService(DoS)attacks.Assuch,inordertofurtherincreasethetrustinInternetandmitigatethelattertwothreats,inFusionLayerDNSwedeployDNSSECalongsideSecureSocketLayer (SSL) technology [13] and Intrusion Detection/Prevention Systems(IDS/IPS).

DNSSECfunctionsbyrequiringDNSzonedatatobesignedinordertoassuretheauthenticityofthenameresolutionprocess.ItsimplementationissimilartoPublicKeyInfrastructure(PKI)andreliesonasymmetriccryptographicalgorithm,whichisrepresentedinFigure5.Inasymmetriccryptography,apairofprivateandpublickeysisusedtoencryptanddecryptamessage.Theownerofthekeysuseshis/herprivatekeytoencryptthemessagetobesent.Thereceiver,ontheotherhand,usesthepublickeyofthesender,whichhe/shehadobtainedpreviously,todecryptthemessagereceived.Amessageencryptedwithaprivatekeycanonlybedecryptedwith its corresponding public key and as such this approach can prove theauthenticityofthesourcefromwhichthedataoriginated.Figure5alsooutlineshowPKIcanbeusedtoprovetheintegrityofthemessagereceived,assuringthatthedatahasnotbeenmodifiedwhileintransit.

Figure6representstheflowofcommunicationsforanameresolutionprocesswithDNSSECenabled.InordertodeployDNSSEC,eachchilddomaincreatesapairofpublic/privatekeysandparticipatesinthechainoftrustbyuploadingitspublickeytoitsparent’sdomainandhavingitverified.Thisinformationisstoredintheparent zone’s Delegation Signer (DS) record and is forwarded alongside anyresponsetotherecursivenameserver.Thechilddomainwouldthenuseitsprivatekeytosignallzonedataforwhichit


8

is authoritative. After receiving any response, the recursive DNS server wouldcompare thepublic key of the child zone, contained in theDNSKEY record andreceivedwiththeresponse,againsttheDSrecordoftheparent’szonereceivedinthepreviousresponse,toconfirmthatthepublickeysentbythechildzoneisinfactcorrect.Therecursivenameserverwouldthenuse thisverifiedDNSKEYtodecrypttheDNSSECsignaturecontainedintheRRSIGrecordinordertoverifytheauthenticityandoriginoftheresponse.Itwouldthenfollowonwiththequeryandrepeat theprocessuntil either the IP addressof the requesteddomainname isresolvedoritreceivesanauthenticateddenialofexistencereplywhichindicatesthattherequesteddomainnameentrydoesnotexist.

Figure 6: DNS name resolution with DNSSEC enabled.

AlthoughthetheorybehindDNSSECisrelativelystraightforward,implementingitintroducessomeoperationalchallengesaslistedbelow.

1. Whenzonesaresigned,thenumberofresourcerecordsgrowsbyafactorof

4-5,increasingtheamountofdatathathastobemanaged.Inreturn,thiswillincreasetheamountofnetworktraffic,althoughnotsignificantlyenoughtowarrantspecialmeasure.

2. Whensigned,formerlystaticDNSentrieswillbecomedynamicbecausethe

privatekeysusedtosignthezoneshavetoberolledoveratregularintervals.According to DNSSEC Operational Practices [14], it is recommended thatzonesigningkeysarerolledoveronceeverymonth.Thispracticeisaimedatincreasingthelevelofsecuritybypreventingtheftandbruteforceattacksonprivatekeys.


9

3. As signed zones contain resource records that are effectively very long keys, managing the keys manually becomes more error-prone. This is due to the fact that as the key length grows, so does the possibility of human error while manually inputting, updating and managing the keys.

Figure 7: Manual implementation of DNSSEC,

Figure 7 depicts the steps that have to be taken in order to manually deployDNSSEC. As elaborated above, it is these operational challenges of manuallyimplementingDNSSEC that havepreventedmanyorganizations fromdeployingDNSSECintheirnetwork.Assuch,deployingDNSSEC,oneitherexternalorinternalnetworks,isaprocessthatgreatlybenefitsfromautomation.Inthenextsection,we elaborate on the criteria necessary to successfully deploy a secure DNSenvironmentwithDNSSECenabledusingsoftwareappliances.

8. Countering Predatory Practices in DNS Environments

To successfully deploy a DNS environment that addresses the forms of cyberattacksdiscussedinthispaper,wehaveidentifiedthreekeycriteriathatshouldbemet.

1. ThedeployedDNSserviceshouldsupportDNSSECandincludeautomated

key management functionality used in the authentication of the nameresolutionprocess.

2. ItshouldincludeSecureSocketLayer(SSL)technologyandbuiltinIntrusion

Detection/ProtectionSystem(IDS/IPS)providingprotectionagainstDenialofServiceattacks.

3. To improve network performance, security and availability, DNS services

shouldbebasedonadedicatedandoptimizedserverstackwith


10

JustenoughOperatingSystem(JeOS)[15]usedtominimizethenumberofattackvectors.

Combining DNSSEC with the methodology described above has numerousadvantages. Firstly, it improves the reliability and availability of core networkserviceswhilereducingoperatingexpenses.Secondly,whendeployedbasedonthesecurityprinciplesdiscussedpreviously,thisapproachisproventobeextremelyeffectiveinmitigatingpredatorypracticesdiscussedinthispaper.Thirdly,thefactthatFusionLayerDNSisdistributedasasoftwareappliancemeansthatitcouldbedeployedeitheronavirtualmachineoranyx86-basedhardwareplatformalreadyin use. This platform independence supports recent trend towards cloudcomputing initiatives that reduce computing costs. Finally, instead of requiringdedicatedphysicalservers,ourapproachallowsnumerousinstancesofsoftwareappliances to be consolidated as virtual machines on any computing platformalreadyinuseandthushelpsreducethenumberofphysicalservesrequired.

9. Conclusion

DNS is one of the core services necessary for network connectivity. Despite itsmissioncriticalrole,itsinherentdesignhasmadeitaneasytargetfornumerousformsofcyberattacks.DNSSECwasdevelopedasaprotocolthatmitigatessomeofthesecurityissuesassociatedwithDNS.Itssuccessfuldeploymentthoughrequiresautomation;bothintermsofinstallationandmanagementprocesses.Atthesametime,tobetrulyeffectiveinimprovingDNSsecurity,DNSSEChastobedeployedincombinationwithothersecuritymeasurestoaddressawiderspectrumofcyberattacks.

Inthiswhitepaper,weintroducedFusionLayerDNS,whichisdevelopedbasedonamethodologythataddressesDNSsecurityissuesoutofthebox.FusionLayerDNSprovidesasimpleandsecureDNSsolutiondesignedbasedonstringentsecurityprinciples which meets the standard requirements of today’s networkingenvironments.Ithasalreadybeendeployedinvariousorganizationsworldwide,both in public and private sector networks in all industry verticals, creatingsignificantcostsavingwhileintroducinganenhancedlevelofnetworksecurity.


11

About FusionLayer FusionLayer streamlines cloud and applicationdelivery innext generationdatacenters. The company’s vendor agnostic technology bridges the gap betweennetwork infrastructure and orchestrated cloud and network functionsvirtualizationworkflows.Forcloudandapplicationdelivery,FusionLayer’snorthboundsolutionfacilitatesNetworkFunctionVirtualization(NFV)andprovidesunifiednetworkvisibilityandreporting. The company’s southbound solution, for network infrastructure,enables multivendor DNS and DHCP administration coupled with networkmonitoringandreservationmanagementforSoftwareDefinedNetworking(SDN).Altogether, FusionLayer’s solutions fully support both IPv4 and IPv6environments. Nine out of 10 of theworld's largest service providers leverageFusionLayer.


12

References

1. CarlVonClausewitz, Colonel F.N.Maude and J.J. Graham, “OnWar”, p.152,WilderPublication,2008.

2. WIPO, IP Services, (WO/2007/107634) “Applianced Domain Name Server”,

http://www.wipo.int/pctdb/en/wo.jsp?WO=2007107634 3. Ganguly,J.Yin,H.Shaikh,D.Chess,T.Eilem,R.Figueiredo,J.Hansom,A.MohindraandG.Pacifici,

“Reducingcomplexityofsoftwaredeploymentwithdeltaconfiguration”,Proceedingsofthe10thIFIP/IEEEInternationalSymposiumonIntegratedNetworkManagement,pp.729-732,Munich,Germany,May2007.

4. P.Mockapetris,“Domainnames–conceptsandfacilities”,InternetRFC1034,November1987.5. S. Lawson, “Inventor looks to DNS’s past, future”, Computerworld June

2003,www.computerworld.com.au/article/70040/inventor_looks_dns_past_future/

6. S.M.Bellovin,“Usingdomainnamesystemforsystembreak-ins”,Proceedingsofthe5thUsenixSecuritySymposium,SaltLakeCity,UT,1995.

7. R. Chandramouli and S. Rose, “Secure Domain Name System (DNS) deployment guide –

recommendations of the National Institute of Standards and Technology”, Sponsored by theDepartmentofHomelandSecurity,April2010.

8. P.Vixie,“DNSandBINDsecurityissues”,Proceedingsofthe5thUsenixSecuritySymposium,SaltLakeCity,UT,1995.

9. L. Smith, “Understanding concepts in thedefence indepth strategy”, Proceedingsof IEEE37th

InternationalCarnahanConferenceonSecurityTechnology,pp.8-16,2003.10. N. Jing-xuan, H. Hong-jun, L. Li, L. Peng andD. Li-ming, “Discussion onminimizing file access

privilege”,ProceedingsofInternationalConferenceonMultimediaandInformationTechnology,p.801,2008.

11. J.McHugh,A.ChristieandJ.Allen,“Defendingyourself:theroleofintrusiondetectionsystems”,

IEEESoftware,Vol.17,Is.5,PP.42-51,September/October2000.12. H. L. Kesterson, “Digital signatures, whom do you trust?” IEEE Proceedings of Aerospace

Conference,Vol.4,p.159,February1997.13. A.C,Weaver,“SecureSocketsLayer”,Computer,Vol.39,Issue4,pp.88-90,April2006.14. O. Kolkman andW.Mekking, “DNSSEC operational practices, Version 2”, RFC 4641 (Proposed

Standard),September2006.http://www.ietf.org/rfc/rfc4641.txt

15. D.Geer,“TheOSfacesabravenewworld”,Computer,Vol.42,Issue10,pp.15-17,October2009.

securing dns environments - fusionlayer.com · security principles, which have been incorporated in...

Documents