Why monitor DNS? The obvious reason is to ensure that your Domain Name System is operating as intended. But there’s more to it than that.
Access to almost every Internet application relies on queries to DNS, a global name resolution database to determine an Internet address associated with a domain name or hyperlink. Yet despite how heavily business relies on DNS, many IT departments overlook how useful DNS monitoring can be in improving network security and performance.
Monitoring DNS involves three different elements of the service:
- Authoritative name service is the element of the DNS that returns answers to queries using only local databases (zone data) that the domain administrator or registrant configures or authorizes a third party to configure.
- Recursive resolver service is a DNS server that processes queries made by the systems and devices connected to your private networks.
- Client device operating systems or applications use very simple stub resolvers. These typically issue queries to recursive resolvers, not only for DNS information about resources in your domains, but also for every publicly registered domain.
Each of these elements can be an important network operations diagnostic or security measure. Let’s take a look at monitoring authoritative name service. We’ll examine the other two elements in future blogs.
Classes of threats
Users and applications make use of zone data that you publish from your domain name servers in order to learn the IP addresses of web, mail, or other hosted Internet services. You and they rely on the accuracy of these data. Two classes of threats exist.
If an attacker gains control over the system where you host authoritative name service, he can alter (or add) records in your zone data so that responses to user queries send users to malicious pages (e.g., defacement or phishing pages) rather than intended web pages. Attackers can alter your mail exchange (MX) service address or add MX records to your zone, causing incoming email to be delivered to the wrong destinations or outgoing email to contain bogus source addresses. Spamming from a domain is attractive because the spammer benefits from the positive reputation your mail service has, and this reputation can be harmed as a consequence of such attacks.
Attackers can also hijack a domain name registration account and change the configuration of the registration so that the name server address in the domain configuration points to a system, name server software, and malicious zone data that the attacker controls. This latter attack is simpler than others. It often involves a social engineering or password guessing attack, and occurs more frequently than you might think. (See cases involving Network Solutions, Google, and LinkedIn.)
Beyond hardening the authoritative name server infrastructure and making it resilient to failure (for example, by operating or contracting for secondary service), consider implementing the checklist for monitoring the operational status and zone-data integrity of your name service, as described below, from A Registrant’s Guide to Protecting Domain Name Registration Accounts:
- Are the name servers identified in the WHOIS response for the domain name the complete and accurate set of name servers that your organization has identified as providing authoritative name service for the domain?
- Are the name servers published in the TLD zone file for the domain name the complete and accurate set of name servers that your organization has identified as providing authoritative name service for the domain?
- Are the name servers operational? (For example, do the hosts respond to a ping or simple DNS query?) Are they performing as expected?
- Are all the name servers secured (hardened against known attacks)? Are all software (OS, name server) packages current with respect to approved versions (e.g., tested and approved by your technical staff), with released hot fixes and patches?
- Are the name servers responding in ways consistent with your baseline correct configuration?
- Do all the name servers that provide authoritative name service for the domain return complete and correct zone data for all formulations of DNS queries against the zone?
The guide also explains how you use the WHOIS service to monitor domain registration data for unauthorized changes to IP addresses associated with name servers for your domain names.
If you aren’t already monitoring authoritative name service, it's never too late to begin, so start now.
This is the first post of a three part series on DNS and domain registration risk and protection:
Part I: Are you monitoring your DNS?
Part III: Avoid Risks: Manage your DNS Portfolio
Originally posted 8/19/2013 at 21st Century IT under Foil Hackers with DNS Monitoring.