The Domain Name System (DNS) may at first seem difficult to understand by non-techies. However, the concept is actually quite simple; the system uses servers to maintain a list of domain names and their associated Internet Protocol (IP) address. In sum, this allows the end user to enter a request into their browser using an easier format than memorizing extensive lists of long numeric sequences for IP addresses. For example, the user could enter ABCD.com (domain name) instead of 01.23.45.678 (IP address) to reach the same webpage.
Domain Name System server security has become both a hot topic and big business as the system that was built for ease-of-use but not security continues to meet challenges in an increasingly large population of capable malicious hackers. Even non-techies should be armed with a knowledge of DNS security basics so they can make informed decisions for their personal or business online security measures.
What Are Some Examples of Domain Name System Attacks?
DNS attacks can take many forms, but all exploit essential weaknesses in the system.
A common attack is Cache Poisoning. Local machines save caches of IP translations to expedite web access. Cache Poisoning is a malicious attack that corrupts the cache by replacing the target IP address with their own website.
Another buzz topic in DNS security is the Denial of Service Attack. In this attack, a hacker sends a bit to overload traffic to a specific site beyond its data buffers, thereby making the target IP address completely unreachable by even legitimate requests.
One more example is Domain Name System Amplification, which takes advantage of servers that permit recursive lookups and uses the recursion to spread an attack across multiple servers simultaneously.
How Is Technology Advancing to Prevent DNS Attacks?
In recent months, several server functionalities have been introduced to combat security attacks.
Advanced server policy capabilities allow for domain name server responses to react differently upon a variety of factors such as client IP or timestamp to assist in traffic management and load balancing. These refinements also permit filtering against known lists of malicious IP addresses. Robust forensics can redirect hits to a sink hole rather than a computer.
Response Rate Limiting (RRL) capacity can now prevent hacking systems from riding on protected domain name servers to initiate Denial of Service Attacks. This works by using response rate limits to determine human requests vs bot requests to the server.
DNS-Based Authentication of Named Entities (DANE) technology prevents man-in-middle Cache Poisoning attacks that redirect legitimate domains to a rogue IP target.
Knowing the basics of the Domain Name System security is important. Stay up-to-date on the newest resources to protect yourself and your business online. For more information, visit www.bluecatnetworks.com.