DNS security

DNS는 보안을 염두에 두고 설계되지 않았으며 DNS 시스템의 취약점을 악용하기 위해 만들어진 많은 유형의 공격이 있습니다.

학습 목표

이 글을 읽은 후에 다음을 할 수 있습니다:

  • DNSSEC의 정의 및 작동 방식 이해
  • 가장 일반적인 DNS 공격 숙지
  • DNSSEC와 다른 DNS 보안 솔루션 구분

글 링크 복사

왜 DNS 보안이 중요합니까?

거의 모든 웹 트래픽에 필요한 표준 DNS 쿼리는 DNS 하이재킹 및 온패스(on-path) 공격 등의 DNS 악용 기회를 만듭니다. 이러한 공격은 웹사이트로 들어오는 트래픽을 사이트의 가짜 복사본으로 리디렉션하여, 중요한 사용자 정보를 수집하고, 회사는 이로 인해 법적 문제가 발생하기도 합니다. DNS 위협으로부터 보호하는 가장 잘 알려진 방법 중 하나는 DNSSEC 프로토콜을 채택하는 것입니다.

What is DNSSEC?

Like many Internet protocols, the DNS system was not designed with security in mind and contains several design limitations. These limitations, combined with advances in technology, have made it easy for attackers to hijack a DNS lookup for malicious purposes, such as sending a user to a fraudulent website that can distribute malware or collect personal information.

DNS Security Extensions (DNSSEC) is a security protocol created to mitigate this problem. DNSSEC protects against attacks by digitally signing data to help ensure its validity. In order to ensure a secure lookup, the signing must happen at every level in the DNS lookup process.

이 서명 절차는 사람이 펜으로 법적 문서에 서명하는 것과 유사합니다. 그 사람은 다른 사람이 만들 수 없는 고유한 서명으로 서명하고, 법원 전문가는 그 서명을 봄으로써 해당 사람이 문서에 서명했음을 확인할 수 있습니다. 이러한 디지털 서명은 데이터가 변경되지 않았음을 보장합니다.

DNSSEC는 모든 DNS 계층에 걸쳐 계층적 디지털 서명 정책을 구현합니다. 예를 들어 'google.com' 조회의 경우, 루트 DNS 서버.COM 이름 서버에 대한 키에 서명하고 .COM 이름 서버는 google.com의 권한 있는 이름 서버에 대한 키에 서명합니다.

While improved security is always preferred, DNSSEC is designed to be backwards-compatible to ensure that traditional DNS lookups still resolve correctly, albeit without the added security. DNSSEC is meant to work with other security measures like SSL/TLS as part of a holistic Internet security strategy.

DNSSEC creates a parent-child train of trust that travels all the way up to the root zone. This chain of trust cannot be compromised at any layer of DNS, or else the request will become open to an on-path attack.

To close the chain of trust, the root zone itself needs to be validated (proven to be free of tampering or fraud), and this is actually done using human intervention. Interestingly, in what’s called a Root Zone Signing Ceremony, selected individuals from around the world meet to sign the root DNSKEY RRset in a public and audited way.

다음은 DNSSEC 작동 방식에 대한 자세한 설명입니다 >>>

DNS와 관련된 일반적인 공격은 무엇입니까?

DNSSEC is a powerful security protocol, but unfortunately it is not currently universally adopted. This lack of adoption coupled with other potential vulnerabilities, on top of the fact that DNS is an integral part of most Internet requests, makes DNS a prime target for malicious attacks. Attackers have found a number of ways to target and exploit DNS servers. Here are some of the most common:

DNS 스푸핑/캐시 악성 침입: 이는 위조된 DNS 데이터가 DNS 확인자의 캐시에 투입되어, 확인자가 도메인의 잘못된 IP 주소를 반환하게 만드는 공격입니다. 이렇게 되면, 트래픽이 올바른 웹사이트로 이동하는 대신, 악의적인 컴퓨터나 공격자가 원하는 다른 곳으로 이동하게 될 수 있습니다. 이러한 위치는 대개 맬웨어 배포 또는 로그인 정보 수집과 같은 악의적인 목적에 사용되는, 원래 사이트의 복제본입니다.

DNS tunneling: This attack uses other protocols to tunnel through DNS queries and responses. Attackers can use SSH, TCP, or HTTP to pass malware or stolen information into DNS queries, undetected by most firewalls.

DNS hijacking: In DNS hijacking the attacker redirects queries to a different domain name server. This can be done either with malware or with the unauthorized modification of a DNS server. Although the result is similar to that of DNS spoofing, this is a fundamentally different attack because it targets the DNS record of the website on the nameserver, rather than a resolver’s cache.

DNS 하이재킹

NXDOMAIN attack: This is a type of DNS flood attack where an attacker inundates a DNS server with requests, asking for records that do not exist, in an attempt to cause a denial-of-service for legitimate traffic. This can be accomplished using sophisticated attack tools that can auto-generate unique subdomains for each request. NXDOMAIN attacks can also target a recursive resolver with the goal of filling the resolver’s cache with junk requests.

Phantom domain attack: A phantom domain attack has a similar result to an NXDOMAIN attack on a DNS resolver. The attacker sets up a bunch of ‘phantom’ domain servers that either respond to requests very slowly or not at all. The resolver is then hit with a flood of requests to these domains and the resolver gets tied up waiting for responses, leading to slow performance and denial-of-service.

Random subdomain attack: In this case, the attacker sends DNS queries for several random, nonexistent subdomains of one legitimate site. The goal is to create a denial-of-service for the domain’s authoritative nameserver, making it impossible to lookup the website from the nameserver. As a side effect, the ISP serving the attacker may also be impacted, as their recursive resolver's cache will be loaded with bad requests.

Domain lock-up attack: Attackers orchestrate this form of attack by setting up special domains and resolvers to create TCP connections with other legitimate resolvers. When the targeted resolvers send requests, these domains send back slow streams of random packets, tying up the resolver’s resources.

Botnet-based CPE attack: These attacks are carried out using CPE devices (Customer Premise Equipment; this is hardware given out by service providers for use by their customers, such as modems, routers, cable boxes, etc.). The attackers compromise the CPEs and the devices become part of a botnet, used to perform random subdomain attacks against one site or domain.

What is the best way to protect against DNS-based attacks?

In addition to DNSSEC, an operator of a DNS zone can take further measures to secure their servers. Over-provisioning infrastructure is one simple strategy to overcome DDoS attacks. Simply put, if your nameserver can handle several multiples more traffic than you expect, it is harder for a volume-based attack to overwhelm your server.

Anycast routing is another handy tool that can disrupt DDoS attacks. Anycast allows multiple servers to share a single IP address, so even if one DNS server gets shut down, there will still be others up and serving. Another popular strategy for securing DNS servers is a DNS firewall.

DNS 방화벽이란 무엇입니까?

DNS 방화벽은 DNS 서버에 다양한 보안 및 성능 서비스를 제공할 수 있는 도구입니다. DNS 방화벽은 사용자의 재귀 확인자와 도달하려는 웹사이트 또는 서비스의 권한 있는 이름 서버 사이에 배치됩니다. 방화벽은 속도 제한 서비스를 제공하여, 서버를 제압하려고 하는 공격자를 차단할 수 있습니다. 공격 또는 다른 이유로 서버가 작동하지 않게 되면, 방화벽은 캐시에서 DNS 응답을 제공하여, 운영자 사이트 또는 서비스를 유지할 수 있습니다.

DNS 방화벽은 보안 기능 외에도 빠른 DNS 조회 및 DNS 운영자의 대역폭 비용 절감과 같은 성능 솔루션도 제공할 수 있습니다. Cloudflare의 DNS 방화벽에 대해 자세히 알아보세요.

보안 도구로서의 DNS

DNS resolvers can also be configured to provide security solutions for their end users (people browsing the Internet). Some DNS resolvers provide features such as content filtering, which can block sites known to distribute malware and spam, and botnet protection, which blocks communication with known botnets. Many of these secured DNS resolvers are free to use and a user can switch to one of these recursive DNS services by changing a single setting in their local router. Cloudflare DNS has an emphasis on security.

Are DNS queries private?

Another important DNS security issue is user privacy. DNS queries are not encrypted. Even if users use a DNS resolver like 1.1.1.1 that does not track their activities, DNS queries travel over the Internet in plaintext. This means anyone who intercepts the query can see which websites the user is visiting.

This lack of privacy has an impact on security and, in some cases, human rights; if DNS queries are not private, then it becomes easier for governments to censor the Internet and for attackers to stalk users' online behavior.

DNS over TLS and DNS over HTTPS are two standards for encrypting DNS queries in order to prevent external parties from being able to read them. Cloudflare DNS supports both of these standards. Cloudflare also partners with other organizations to help improve DNS security — for example, helping Mozilla enable DNS over HTTPS in its Firefox browser in order to protect users.