Abbildung von: DNS Security Management - Wiley-IEEE Press

DNS Security Management

Wiley-IEEE Press
Erschienen am 6. Juli 2017
324 Seiten
ePUB mit Adobe-DRM
978-1-119-33140-7 (ISBN)
92,99 €inkl. 7% MwSt.
für ePUB mit Adobe-DRM
E-Book Einzellizenz
Als Download verfügbar
An advanced Domain Name System (DNS) security resource that explores the operation of DNS, its vulnerabilities, basic security approaches, and mitigation strategies
DNS Security Management offers an overall role-based security approach and discusses the various threats to the Domain Name Systems (DNS). This vital resource is filled with proven strategies for detecting and mitigating these all too frequent threats. The authors--noted experts on the topic--offer an introduction to the role of DNS and explore the operation of DNS. They cover a myriad of DNS vulnerabilities and include preventative strategies that can be implemented.
Comprehensive in scope, the text shows how to secure DNS resolution with the Domain Name System Security Extensions (DNSSEC). In addition, the text includes discussions on security applications facility by DNS, such as anti-spam, SPF, DANE and related CERT/SSHFP records. This important resource:
* Presents security approaches for the various types of DNS deployments by role (e.g., recursive vs. authoritative)
* Discusses DNS resolvers including host access protections, DHCP configurations and DNS recursive server IPs
* Examines DNS data collection, data analytics, and detection strategies
With cyber attacks ever on the rise worldwide, DNS Security Management offers network engineers a much-needed resource that provides a clear understanding of the threats to networks in order to mitigate the risks and assess the strategies to defend against threats.
Michael Dooley is responsible for overall operations of the BT Diamond IP division. Mr. Dooley has more than 20 years of experience managing and developing large scale software products and has contributed significantly to the evolution of Internet technologies, particularly related to IP addressing, DHCP and DNS. In 2013 he co-authored the Wiley-IEEE Press title IPv6 Deployment and Management.
Timothy Rooney manages BT Diamond IP product development and has led the market introduction of four next-generation IP management systems: NetControl, IPControl, Sapphire appliances and ImageControl. In 2010, he authored the Wiley-IEEE Press title Introduction to IP Address Management and in 2011, IP Address Management Principles and Practice. In 2013 Mr. Rooney co-authored the Wiley-IEEE Press title IPv6 Deployment and Management.
  • Intro
  • DNS Security Management
  • Contents
  • Preface
  • Acknowledgments
  • 1 Introduction
  • Why Attack DNS?
  • Network Disruption
  • DNS as a Backdoor
  • DNS Basic Operation
  • Basic DNS Data Sources and Flows
  • DNS Trust Model
  • DNS Administrator Scope
  • Security Context and Overview
  • Cybersecurity Framework Overview
  • Framework Implementation
  • Whats Next
  • 2 Introduction to the Domain Name System (DNS)
  • DNS Overview - Domains and Resolution
  • Domain Hierarchy
  • Name Resolution
  • Zones and Domains
  • Dissemination of Zone Information
  • Additional Zones
  • Resolver Configuration
  • Summary
  • 3 DNS Protocol and Messages
  • DNS Message Format
  • Encoding of Domain Names
  • Name Compression
  • Internationalized Domain Names
  • DNS Message Format
  • DNS Update Messages
  • The DNS Resolution Process Revisited
  • DNS Resolution Privacy Extension
  • Summary
  • 4 DNS Vulnerabilities
  • Introduction
  • DNS Data Security
  • DNS Information Trust Model
  • DNS Information Sources
  • DNS Risks
  • DNS Infrastructure Risks and Attacks
  • DNS Service Availability
  • Hardware/OS Attacks
  • DNS Service Denial
  • Pseudorandom Subdomain Attacks
  • Cache Poisoning Style Attacks
  • Authoritative Poisoning
  • Resolver Redirection Attacks
  • Broader Attacks that Leverage DNS
  • Network Reconnaissance
  • DNS Rebinding Attack
  • Reflector Style Attacks
  • Data Exfiltration
  • Advanced Persistent Threats
  • Summary
  • 5 DNS Trust Sectors
  • Introduction
  • Cybersecurity Framework Items
  • Identify
  • Protect
  • Detect
  • DNS Trust Sectors
  • External DNS Trust Sector
  • Basic Server Configuration
  • DNS Hosting of External Zones
  • External DNS Diversity
  • Extranet DNS Trust Sector
  • Recursive DNS Trust Sector
  • Tiered Caching Servers
  • Basic Server Configuration
  • Internal Authoritative DNS Servers
  • Basic Server Configuration
  • Additional DNS Deployment Variants
  • Internal Delegation DNS Master/Slave Servers
  • Multi-Tiered Authoritative Configurations
  • Hybrid Authoritative/Caching DNS Servers
  • Stealth Slave DNS Servers
  • Internal Root Servers
  • Deploying DNS Servers with Anycast Addresses
  • Other Deployment Considerations
  • High Availability
  • Multiple Vendors
  • Sizing and Scalability
  • Load Balancers
  • Lab Deployment
  • Putting It All Together
  • 6 Security Foundation
  • Introduction
  • Hardware/Asset Related Framework Items
  • Identify: Asset Management
  • Identify: Business Environment
  • Identify: Risk Assessment
  • Protect: Access Control
  • Protect: Data Security
  • Protect: Information Protection
  • Protect: Maintenance
  • Detect: Anomalies and Events
  • Detect: Security Continuous Monitoring
  • Respond: Analysis
  • Respond: Mitigation
  • Recover: Recovery Planning
  • Recover: Improvements
  • DNS Server Hardware Controls
  • DNS Server Hardening
  • Additional DNS Server Controls
  • Summary
  • 7 Service Denial Attacks
  • Introduction
  • Denial of Service Attacks
  • Pseudorandom Subdomain Attacks
  • Reflector Style Attacks
  • Detecting Service Denial Attacks
  • Denial of Service Protection
  • DoS/DDoS Mitigation
  • Bogus Queries Mitigation
  • PRSD Attack Mitigation
  • Reflector Mitigation
  • Summary
  • 8 Cache Poisoning Defenses
  • Introduction
  • Attack Forms
  • Packet Interception or Spoofing
  • ID Guessing or Query Prediction
  • Name Chaining
  • The Kaminsky DNS Vulnerability
  • Cache Poisoning Detection
  • Cache Poisoning Defense Mechanisms
  • UDP Port Randomization
  • Query Name Case Randomization
  • DNS Security Extensions
  • Last Mile Protection
  • 9 Securing Authoritative DNS Data
  • Introduction
  • Attack Forms
  • Resolution Data at Rest
  • Domain Registries
  • DNS Hosting Providers
  • DNS Data in Motion
  • Attack Detection
  • Authoritative Data
  • Domain Registry
  • Domain Hosting
  • Falsified Resolution
  • Defense Mechanisms
  • Defending DNS Data at Rest
  • Defending Resolution Data in Motion with DNSSEC
  • Summary
  • 10 Attacker Exploitation of DNS
  • Introduction
  • Network Reconnaissance
  • Data Exfiltration
  • Detecting Nefarious use of DNS
  • Detecting Network Reconnaissance
  • DNS Tunneling Detection
  • Mitigation of Illicit DNS Use
  • Network Reconnaissance Mitigation
  • Mitigation of DNS Tunneling
  • 11 Malware and APTs
  • Introduction
  • Malware Proliferation Techniques
  • Phishing
  • Spear Phishing
  • Downloads
  • File Sharing
  • Email Attachments
  • Watering Hole Attack
  • Replication
  • Implantation
  • Malware Examples
  • Malware Use of DNS
  • DNS Fluxing
  • Dynamic Domain Generation
  • Detecting Malware
  • Detecting Malware Using DNS Data
  • Mitigating Malware Using DNS
  • Malware Extrication
  • DNS Firewall
  • Summary
  • 12 DNS Security Strategy
  • Major DNS Threats and Mitigation Approaches
  • Common Controls
  • Disaster Defense
  • Defenses Against Human Error
  • DNS Role-Specific Defenses
  • Stub Resolvers
  • Forwarder DNS Servers
  • Recursive Servers
  • Authoritative Servers
  • Broader Security Strategy
  • Identify Function
  • Protect Function
  • Detect Function
  • Respond Function
  • Recover Function
  • 13 DNS Applications to Improve Network Security
  • DNS-Based Authentication of Named Entities (DANE)
  • Email and DNS
  • DNS Block Listing
  • Sender Policy Framework (SPF)
  • Domain Keys Identified Mail (DKIM)
  • Domain-Based Message Authentication, Reporting, and Conformance (DMARC)
  • Dynamic DNS Update Uniqueness Validation
  • Other Security Oriented DNS Resource Record Types
  • 14 DNS Security Evolution
  • A Cybersecurity Framework Core DNS Example
  • B DNS Resource Record Types
  • Bibliography
  • Index
  • IEEE Press Series on Networks and Services Management
  • EULA



The Domain Name System (DNS) is fundamental to the proper operation of virtually all Internet Protocol (IP) network applications, from web browsing to email, multimedia applications, and more. Every time you type a web address, send an email or access an IP application, you use DNS. DNS provides the lookup service to translate the website name you entered, for example, to its corresponding IP address that your computer needs to communicate via the Internet.

This lookup service is more commonly referred to as a name resolution process, whereby a worldwide web "www" address is resolved to its IP address. And a given web page may require several DNS lookups. If you view the source of a random web page, for example, count the number of link, hypertext reference (href), and source (src) tags that contain a unique domain name. Each of these stimulate your browser to perform a DNS lookup to fetch the referenced image, file or script, and perhaps pre-fetch links. And each time you click a link to navigate to a new page, the process repeats with successive DNS lookups required to fully render the destination page.

Email too relies on DNS for email delivery, enabling you to send email using the familiar user@destination syntax, where DNS identifies the destination's IP address for transmission of the email. And DNS goes well beyond web or email address resolution. Virtually every application on your computer, tablet, smartphone, security cameras, thermostats, and other "things" that access the Internet require DNS for proper operation. Without DNS, navigating and accessing Internet applications would be all but impossible.

Network Disruption

An outage or an attack that renders the DNS service unavailable or which manipulates the integrity of the data contained within DNS can effectively bring a network down from an end user perspective. Even if network connectivity exists, unless you already know the IP address of the site to which you'd like to connect and enter it into the browser address field, you'll be unable to connect, and you won't see any linked images or content.

Such an event of the unavailability of DNS will likely spur a flurry of old fashioned phone calls to your support desk or call center to politely report the problem. IP network administrators generally desire to minimize such calls to the support center, polite or otherwise, given that it forces those supporting the network to drop what they're doing and resolve the issue with the added pressure of visibility across the wider IT or Operations organization.

DNS as a Backdoor

Just as DNS is the first step in allowing users to connect to websites, it is likewise usable by bad actors to connect to internal targets within your enterprise and external command and control centers for updates and directives to perform nefarious tasks. Given the necessity of DNS, DNS traffic is generally permitted to flow freely through networks, exposing networks to attacks that leverage this freedom of communications for lookups or for tunneling of data out of the organization.

Thus, attacking DNS could not only effectively bring down a network from users' perspectives, leveraging DNS could enable attackers to communicate to malware-infected devices within the network to initiate internal attacks, to exfiltrate sensitive information, or to perform other malicious activity. Malware-infected devices may be enlisted to serve as remote robots or bots under the control of an attacker. A collection of such bots is referred to as a botnet. A botnet enables an attacker to enlist an army of devices potentially installed around the world to perform software programmable actions.

By its very nature, the global Internet DNS system serves as a distributed data repository containing domain names (e.g., for websites) and corresponding IP address information. The distributed nature of DNS applies not only to the global geographic distribution of DNS servers, but to the distribution of administration of the information published within respective domains of this repository. DNS has proven extremely effective and scalable in practice and most people take DNS for granted given this and its historical reliability. However, its essential function and decentralized architecture serve to attract attackers seeking to exploit the architecture and rich data store for sinister activities.

While DNS is the first step in IP communications, many enterprise security strategies trivialize or startlingly even ignore its role in communications and therefore its susceptibility to attacks on this vital network service or on the network itself. Most security strategies and solutions focus on filtering "in-band" communication flow in order to detect and mitigate cyber attacks. However, as we shall see, filtering DNS traffic can support a broader network security plan in providing additional information for use in identifying and troubleshooting attack incidents. This book is intended to provide details regarding the criticality of DNS, its vulnerabilities, and strategies you can implement to better secure your DNS infrastructure, which will in turn better secure your overall network.


Figure 1.1 illustrates the basic flow of a DNS query. Upon entry of the desired destination by name, in this case, software called a resolver is invoked by the application, for example, web browser. This resolver software is typically included with the device operating system. If a connection had recently been made to this website, its IP address may already be stored in the resolver cache. The resolver cache helps improve resolution performance by temporarily keeping track of recently resolved name-to-IP address mappings. In such a case, the resolver may return the IP address immediately to the application to establish a connection without having to query a DNS server.

Figure 1.1. Basic DNS Resolution Flow

If no relevant information exists in the resolver cache the device will query its recursive DNS server. The role of the recursive server is to locate the answer to the device's query. The recursive server is itself a resolver of the DNS query; we refer to the resolver on the originating device as a stub resolver as it initiates a query to its recursive server, and it relies solely on the recursive server to locate and return the answer. The stub resolver is configured with DNS server IP addresses to query as part of the IP network initialization process. For example, when a device boots up, it typically requests an IP address from a dynamic host configuration protocol (DHCP) server. The DHCP server can be configured to not only provide an IP address but the IP addresses of recursive DNS servers to which DNS queries should be directed. Use of DHCP in this manner facilitates mobility and efficiency as addresses can be shared and can be assigned based on the relevant point of connection to the IP network.

As we mentioned, the recursive DNS server's role is to resolve the query on behalf of the stub resolver. It performs this role using its own cache of previously resolved queries or by querying DNS servers on the Internet. The process of querying Internet DNS servers seeks to first locate a DNS server that is authoritative for the domain for which the query relates ( in this case) and then to query an authoritative server itself to obtain an answer that can be passed back to the client, thereby completing the resolution process. The location of the authoritative server is determined by querying Internet DNS servers that are responsible for the layers of the domain tree "above" or "to the right" of the domain in question. We'll discuss this process in more detail in Chapter 2. The recursive server caches the resolution information in order to respond more quickly to a similar query without having to re-seek the answer on the Internet.

To access your website, people need to know your web address, or technically your uniform resource locator or URL. And you need to publish this web address in DNS in the form of a resource record so browsers can locate your DNS servers and resolve your www address to your web server's IP address. Multiple, at least two, authoritative DNS servers must be deployed to provide services continuity in the event of a server outage. Generally, an administrator configures a master server that then replicates or transfers its domain information to one or more slave servers. We will discuss more details on this process and server roles in Chapter 2.

Basic DNS Data Sources and Flows

Figure 1.2 illustrates a subset of the various data stores for DNS data and corresponding data sources. The authoritative DNS servers must be configured to answer queries for domain name-to-IP address mappings for this domain for which they are authoritative. Depending on your DNS server vendor implementation, DNS configuration information may be supplied by editing text files, using a vendor graphical user interface (GUI) or deploying files from an IP address management (IPAM) system as shown in Figure 1.2. Each server generally relies on a configuration file and authoritative servers store DNS resolution information in zone files or a database. Some implementations utilize dynamic journal files to temporarily store...

Dateiformat: ePUB
Kopierschutz: Adobe-DRM (Digital Rights Management)


  • Computer (Windows; MacOS X; Linux): Installieren Sie bereits vor dem Download die kostenlose Software Adobe Digital Editions (siehe E-Book Hilfe).
  • Tablet/Smartphone (Android; iOS): Installieren Sie bereits vor dem Download die kostenlose App Adobe Digital Editions oder die App PocketBook (siehe E-Book Hilfe).
  • E-Book-Reader: Bookeen, Kobo, Pocketbook, Sony, Tolino u.v.a.m. (nicht Kindle)

Das Dateiformat ePUB ist sehr gut für Romane und Sachbücher geeignet – also für „fließenden” Text ohne komplexes Layout. Bei E-Readern oder Smartphones passt sich der Zeilen- und Seitenumbruch automatisch den kleinen Displays an.
Mit Adobe-DRM wird hier ein „harter” Kopierschutz verwendet. Wenn die notwendigen Voraussetzungen nicht vorliegen, können Sie das E-Book leider nicht öffnen. Daher müssen Sie bereits vor dem Download Ihre Lese-Hardware vorbereiten.

Bitte beachten Sie: Wir empfehlen Ihnen unbedingt nach Installation der Lese-Software diese mit Ihrer persönlichen Adobe-ID zu autorisieren!

Weitere Informationen finden Sie in unserer  E-Book Hilfe.