Details

<p>Preface xiii</p> <p>Acknowledgments xvii</p> <p><b>1 INTRODUCTION 1</b></p> <p>Why Attack DNS? 1</p> <p>Network Disruption 2</p> <p>DNS as a Backdoor 2</p> <p>DNS Basic Operation 3</p> <p>Basic DNS Data Sources and Flows 4</p> <p>DNS Trust Model 5</p> <p>DNS Administrator Scope 6</p> <p>Security Context and Overview 7</p> <p>Cybersecurity Framework Overview 7</p> <p>Framework Implementation 9</p> <p>What’s Next 15</p> <p><b>2 INTRODUCTION TO THE DOMAIN NAME SYSTEM (DNS) 17</b></p> <p>DNS Overview – Domains and Resolution 17</p> <p>Domain Hierarchy 18</p> <p>Name Resolution 18</p> <p>Zones and Domains 23</p> <p>Dissemination of Zone Information 25</p> <p>Additional Zones 26</p> <p>Resolver Configuration 27</p> <p>Summary 29</p> <p><b>3 DNS PROTOCOL AND MESSAGES 31</b></p> <p>DNS Message Format 31</p> <p>Encoding of Domain Names 31</p> <p>Name Compression 32</p> <p>Internationalized Domain Names 34</p> <p>DNS Message Format 35</p> <p>DNS Update Messages 43</p> <p>The DNS Resolution Process Revisited 48</p> <p>DNS Resolution Privacy Extension 55</p> <p>Summary 56</p> <p><b>4 DNS VULNERABILITIES 57</b></p> <p>Introduction 57</p> <p>DNS Data Security 57</p> <p>DNS Information Trust Model 59</p> <p>DNS Information Sources 60</p> <p>DNS Risks 61</p> <p>DNS Infrastructure Risks and Attacks 62</p> <p>DNS Service Availability 62</p> <p>Hardware/OS Attacks 63</p> <p>DNS Service Denial 63</p> <p>Pseudorandom Subdomain Attacks 67</p> <p>Cache Poisoning Style Attacks 67</p> <p>Authoritative Poisoning 71</p> <p>Resolver Redirection Attacks 73</p> <p>Broader Attacks that Leverage DNS 74</p> <p>Network Reconnaissance 75</p> <p>DNS Rebinding Attack 77</p> <p>Reflector Style Attacks 78</p> <p>Data Exfiltration 79</p> <p>Advanced Persistent Threats 81</p> <p>Summary 83</p> <p><b>5 DNS TRUST SECTORS 85</b></p> <p>Introduction 85</p> <p>Cybersecurity Framework Items 87</p> <p>Identify 87</p> <p>Protect 87</p> <p>Detect 88</p> <p>DNS Trust Sectors 88</p> <p>External DNS Trust Sector 91</p> <p>Basic Server Configuration 93</p> <p>DNS Hosting of External Zones 97</p> <p>External DNS Diversity 97</p> <p>Extranet DNS Trust Sector 98</p> <p>Recursive DNS Trust Sector 99</p> <p>Tiered Caching Servers 100</p> <p>Basic Server Configuration 101</p> <p>Internal Authoritative DNS Servers 103</p> <p>Basic Server Configuration 105</p> <p>Additional DNS Deployment Variants 108</p> <p>Internal Delegation DNS Master/Slave Servers 109</p> <p>Multi-Tiered Authoritative Configurations 109</p> <p>Hybrid Authoritative/Caching DNS Servers 111</p> <p>Stealth Slave DNS Servers 111</p> <p>Internal Root Servers 111</p> <p>Deploying DNS Servers with Anycast Addresses 113</p> <p>Other Deployment Considerations 118</p> <p>High Availability 118</p> <p>Multiple Vendors 118</p> <p>Sizing and Scalability 118</p> <p>Load Balancers 119</p> <p>Lab Deployment 119</p> <p>Putting It All Together 119</p> <p><b>6 SECURITY FOUNDATION 121</b></p> <p>Introduction 121</p> <p>Hardware/Asset Related Framework Items 122</p> <p>Identify: Asset Management 122</p> <p>Identify: Business Environment 123</p> <p>Identify: Risk Assessment 124</p> <p>Protect: Access Control 126</p> <p>Protect: Data Security 127</p> <p>Protect: Information Protection 129</p> <p>Protect: Maintenance 130</p> <p>Detect: Anomalies and Events 131</p> <p>Detect: Security Continuous Monitoring 131</p> <p>Respond: Analysis 132</p> <p>Respond: Mitigation 132</p> <p>Recover: Recovery Planning 133</p> <p>Recover: Improvements 133</p> <p>DNS Server Hardware Controls 134</p> <p>DNS Server Hardening 134</p> <p>Additional DNS Server Controls 136</p> <p>Summary 137</p> <p><b>7 SERVICE DENIAL ATTACKS 139</b></p> <p>Introduction 139</p> <p>Denial of Service Attacks 139</p> <p>Pseudorandom Subdomain Attacks 141</p> <p>Reflector Style Attacks 143</p> <p>Detecting Service Denial Attacks 144</p> <p>Denial of Service Protection 145</p> <p>DoS/DDoS Mitigation 145</p> <p>Bogus Queries Mitigation 147</p> <p>PRSD Attack Mitigation 148</p> <p>Reflector Mitigation 148</p> <p>Summary 151</p> <p><b>8 CACHE POISONING DEFENSES 153</b></p> <p>Introduction 153</p> <p>Attack Forms 154</p> <p>Packet Interception or Spoofing 154</p> <p>ID Guessing or Query Prediction 155</p> <p>Name Chaining 155</p> <p>The Kaminsky DNS Vulnerability 156</p> <p>Cache Poisoning Detection 159</p> <p>Cache Poisoning Defense Mechanisms 160</p> <p>UDP Port Randomization 160</p> <p>Query Name Case Randomization 161</p> <p>DNS Security Extensions 161</p> <p>Last Mile Protection 167</p> <p><b>9 SECURING AUTHORITATIVE DNS DATA 169</b></p> <p>Introduction 169</p> <p>Attack Forms 170</p> <p>Resolution Data at Rest 170</p> <p>Domain Registries 170</p> <p>DNS Hosting Providers 171</p> <p>DNS Data in Motion 172</p> <p>Attack Detection 172</p> <p>Authoritative Data 172</p> <p>Domain Registry 173</p> <p>Domain Hosting 173</p> <p>Falsified Resolution 173</p> <p>Defense Mechanisms 174</p> <p>Defending DNS Data at Rest 174</p> <p>Defending Resolution Data in Motion with DNSSEC 176</p> <p>Summary 186</p> <p><b>10 ATTACKER EXPLOITATION OF DNS 187</b></p> <p>Introduction 187</p> <p>Network Reconnaissance 187</p> <p>Data Exfiltration 188</p> <p>Detecting Nefarious use of DNS 189</p> <p>Detecting Network Reconnaissance 189</p> <p>DNS Tunneling Detection 190</p> <p>Mitigation of Illicit DNS Use 193</p> <p>Network Reconnaissance Mitigation 193</p> <p>Mitigation of DNS Tunneling 193</p> <p><b>11 MALWARE AND APTS 195</b></p> <p>Introduction 195</p> <p>Malware Proliferation Techniques 196</p> <p>Phishing 196</p> <p>Spear Phishing 196</p> <p>Downloads 196</p> <p>File Sharing 197</p> <p>Email Attachments 197</p> <p>Watering Hole Attack 197</p> <p>Replication 197</p> <p>Implantation 197</p> <p>Malware Examples 198</p> <p>Malware Use of DNS 198</p> <p>DNS Fluxing 198</p> <p>Dynamic Domain Generation 202</p> <p>Detecting Malware 202</p> <p>Detecting Malware Using DNS Data 203</p> <p>Mitigating Malware Using DNS 206</p> <p>Malware Extrication 206</p> <p>DNS Firewall 207</p> <p>Summary 210</p> <p><b>12 DNS SECURITY STRATEGY 213</b></p> <p>Major DNS Threats and Mitigation Approaches 214</p> <p>Common Controls 214</p> <p>Disaster Defense 214</p> <p>Defenses Against Human Error 220</p> <p>DNS Role-Specific Defenses 220</p> <p>Stub Resolvers 220</p> <p>Forwarder DNS Servers 221</p> <p>Recursive Servers 221</p> <p>Authoritative Servers 222</p> <p>Broader Security Strategy 222</p> <p>Identify Function 223</p> <p>Protect Function 224</p> <p>Detect Function 225</p> <p>Respond Function 226</p> <p>Recover Function 227</p> <p><b>13 DNS APPLICATIONS TO IMPROVE NETWORK SECURITY 229</b></p> <p>Safer Web Browsing 230</p> <p>DNS-Based Authentication of Named Entities (DANE) 230</p> <p>Email Security 232</p> <p>Email and DNS 233</p> <p>DNS Block Listing 237</p> <p>Sender Policy Framework (SPF) 238</p> <p>Domain Keys Identified Mail (DKIM) 242</p> <p>Domain-Based Message Authentication, Reporting, and</p> <p>Conformance (DMARC) 245</p> <p>Securing Automated Information Exchanges 246</p> <p>Dynamic DNS Update Uniqueness Validation 246</p> <p>Storing Security-Related Information 247</p> <p>Other Security Oriented DNS Resource Record Types 247</p> <p>Summary 251</p> <p><b>14 DNS SECURITY EVOLUTION 253</b></p> <p>Appendix A: Cybersecurity Framework Core DNS Example 257</p> <p>Appendix B: DNS Resource Record Types 285</p> <p>Bibliography 291</p> <p>Index 299</p> <p> </p>

<p><strong>Michael Dooley</strong> is responsible for overall operations of the BT Diamond IP division. Mr. Dooley has more than 20 years of experience managing and developing large scale software products and has contributed significantly to the evolution of Internet technologies, particularly related to IP addressing, DHCP and DNS. In 2013 he co-authored the Wiley-IEEE Press title <em>IPv6 Deployment and Management.</em> <p><strong>Timothy Rooney</strong> manages BT Diamond IP product development and has led the market introduction of four next-generation IP management systems: NetControl, IPControl, Sapphire appliances and ImageControl. In 2010, he authored the Wiley-IEEE Press title <em>Introduction to IP Address Management</em> and in 2011, <em>IP Address Management Principles and Practice.</em> In 2013 Mr. Rooney co-authored the Wiley-IEEE Press title <em>IPv6 Deployment and Management.</em> <p>

<p><b>An advanced Domain Name System (DNS) security resource that explores the operation of DNS, its vulnerabilities, basic security approaches, and mitigation strategies</b> <p><i>DNS Security Management</i> offers an overall role-based security approach and discusses the various threats to the Domain Name Systems (DNS). This vital resource is filled with proven strategies for detecting and mitigating these all too frequent threats. The authors—noted experts on the topic—offer an introduction to the role of DNS and explore the operation of DNS. They cover a myriad of DNS vulnerabilities and include preventative strategies that can be implemented. <p> Comprehensive in scope, the text shows how to secure DNS resolution with the Domain Name System Security Extensions (DNSSEC), DNS firewall, server controls, and much more. In addition, the text includes discussions on security applications facilitated by DNS, such as anti-spam, SFP, and DANE. This important resource: <ul> <li>Presents security approaches for the various types of DNS deployments by role (e.g., recursive vs. authoritative)</li> <li>Discusses example configurations for leading DNS implementations to illustrate security controls</li> <li>Examines DNS data collection, incident detection, and data analytics strategies</li> </ul> <br> <p> With cyber attacks ever on the rise worldwide, <em>DNS Security Management</em> offers network engineers a much-needed resource that provides a clear understanding of the threats to networks in order to mitigate the risks and assess the strategies to defend against threats.

US