DNS security

在設計 DNS 時並未考慮安全性,因此目前建立了許多類型的攻擊來利用 DNS 系統中的漏洞。

學習目標

閱讀本文後,您將能夠:

  • 瞭解什麼是 DNSSEC 及其工作方式
  • 熟悉最常見的 DNS 攻擊
  • 區分 DNSSEC 與其他 DNS 安全性解決方案

複製文章連結

DNS 安全性為什麼非常重要?

幾乎所有網頁流量都需要的標準 DNS 查詢會產生 DNS 惡意探索的機會,例如 DNS 劫持和在途攻擊。這些攻擊可將網站的入站流量重新導向到偽造的網站,從而收集敏感的使用者資訊並使企業承擔主要責任。防禦 DNS 威脅的最知名方式之一是採用 DNSSEC 通訊協定。

What is DNSSEC?

Like many Internet protocols, the DNS system was not designed with security in mind and contains several design limitations. These limitations, combined with advances in technology, have made it easy for attackers to hijack a DNS lookup for malicious purposes, such as sending a user to a fraudulent website that can distribute malware or collect personal information.

DNS Security Extensions (DNSSEC) is a security protocol created to mitigate this problem. DNSSEC protects against attacks by digitally signing data to help ensure its validity. In order to ensure a secure lookup, the signing must happen at every level in the DNS lookup process.

此簽署過程類似於人們用筆簽署法律檔案;此人簽署別人無法建立的唯一簽名,並且法院專家能夠檢視該簽名並驗證檔案是否由該人簽署。這些數位簽名可確保資料未被竄改。

DNSSEC 在所有 DNS 層實施階層式數位簽署政策。例如,在「google.com」查閱中,根 DNS 伺服器將為 .COM 名稱伺服器簽署一個金鑰,然後 .COM 名稱伺服器將為 google.com 的權威名稱伺服器簽署一個金鑰。

While improved security is always preferred, DNSSEC is designed to be backwards-compatible to ensure that traditional DNS lookups still resolve correctly, albeit without the added security. DNSSEC is meant to work with other security measures like SSL/TLS as part of a holistic Internet security strategy.

DNSSEC creates a parent-child train of trust that travels all the way up to the root zone. This chain of trust cannot be compromised at any layer of DNS, or else the request will become open to an on-path attack.

To close the chain of trust, the root zone itself needs to be validated (proven to be free of tampering or fraud), and this is actually done using human intervention. Interestingly, in what’s called a Root Zone Signing Ceremony, selected individuals from around the world meet to sign the root DNSKEY RRset in a public and audited way.

以下是有關 DNSSEC 運作方式的更詳細說明 >>>

涉及 DNS 的常見攻擊有哪些?

DNSSEC is a powerful security protocol, but unfortunately it is not currently universally adopted. This lack of adoption coupled with other potential vulnerabilities, on top of the fact that DNS is an integral part of most Internet requests, makes DNS a prime target for malicious attacks. Attackers have found a number of ways to target and exploit DNS servers. Here are some of the most common:

DNS 詐騙/快取記憶體中毒這種攻擊會將偽造的 DNS 資料引入 DNS 解析程式的快取記憶體中,造成解析程式傳回不正確的網域 IP 位址。流量可能會被轉移到惡意電腦或攻擊者想要的其他任何位置,而不是前往正確網站;通常,這將是用於惡意目的的原始網站副本,例如分發惡意程式碼或收集登入資訊。

DNS tunneling: This attack uses other protocols to tunnel through DNS queries and responses. Attackers can use SSH, TCP, or HTTP to pass malware or stolen information into DNS queries, undetected by most firewalls.

DNS hijacking: In DNS hijacking the attacker redirects queries to a different domain name server. This can be done either with malware or with the unauthorized modification of a DNS server. Although the result is similar to that of DNS spoofing, this is a fundamentally different attack because it targets the DNS record of the website on the nameserver, rather than a resolver’s cache.

DNS 劫持

NXDOMAIN attack: This is a type of DNS flood attack where an attacker inundates a DNS server with requests, asking for records that do not exist, in an attempt to cause a denial-of-service for legitimate traffic. This can be accomplished using sophisticated attack tools that can auto-generate unique subdomains for each request. NXDOMAIN attacks can also target a recursive resolver with the goal of filling the resolver’s cache with junk requests.

Phantom domain attack: A phantom domain attack has a similar result to an NXDOMAIN attack on a DNS resolver. The attacker sets up a bunch of ‘phantom’ domain servers that either respond to requests very slowly or not at all. The resolver is then hit with a flood of requests to these domains and the resolver gets tied up waiting for responses, leading to slow performance and denial-of-service.

Random subdomain attack: In this case, the attacker sends DNS queries for several random, nonexistent subdomains of one legitimate site. The goal is to create a denial-of-service for the domain’s authoritative nameserver, making it impossible to lookup the website from the nameserver. As a side effect, the ISP serving the attacker may also be impacted, as their recursive resolver's cache will be loaded with bad requests.

Domain lock-up attack: Attackers orchestrate this form of attack by setting up special domains and resolvers to create TCP connections with other legitimate resolvers. When the targeted resolvers send requests, these domains send back slow streams of random packets, tying up the resolver’s resources.

Botnet-based CPE attack: These attacks are carried out using CPE devices (Customer Premise Equipment; this is hardware given out by service providers for use by their customers, such as modems, routers, cable boxes, etc.). The attackers compromise the CPEs and the devices become part of a botnet, used to perform random subdomain attacks against one site or domain.

What is the best way to protect against DNS-based attacks?

In addition to DNSSEC, an operator of a DNS zone can take further measures to secure their servers. Over-provisioning infrastructure is one simple strategy to overcome DDoS attacks. Simply put, if your nameserver can handle several multiples more traffic than you expect, it is harder for a volume-based attack to overwhelm your server.

Anycast routing is another handy tool that can disrupt DDoS attacks. Anycast allows multiple servers to share a single IP address, so even if one DNS server gets shut down, there will still be others up and serving. Another popular strategy for securing DNS servers is a DNS firewall.

什麼是 DNS 防火牆?

DNS 防火牆是一種可為 DNS 伺服器提供眾多安全性和效能服務的工具。DNS 防火牆位於使用者的遞迴解析程式與他們正嘗試存取的網站或服務的權威名稱伺服器之間。防火牆可提供限速服務,以關閉嘗試淹沒伺服器的攻擊者。如果伺服器確實由於攻擊或其他任何原因而停機,則 DNS 防火牆可透過提供來自快取記憶體的 DNS 回應來使營運商的網站或服務保持正常執行。

除了其安全性功能外,DNS 防火牆還可為 DNS 營運商提供高效能解決方案,例如更快的 DNS 尋找和更低的頻寬成本。瞭解有關 Cloudflare DNS firewall 的更多資訊。

作為安全性工具的 DNS

DNS resolvers can also be configured to provide security solutions for their end users (people browsing the Internet). Some DNS resolvers provide features such as content filtering, which can block sites known to distribute malware and spam, and botnet protection, which blocks communication with known botnets. Many of these secured DNS resolvers are free to use and a user can switch to one of these recursive DNS services by changing a single setting in their local router. Cloudflare DNS has an emphasis on security.

Are DNS queries private?

Another important DNS security issue is user privacy. DNS queries are not encrypted. Even if users use a DNS resolver like 1.1.1.1 that does not track their activities, DNS queries travel over the Internet in plaintext. This means anyone who intercepts the query can see which websites the user is visiting.

This lack of privacy has an impact on security and, in some cases, human rights; if DNS queries are not private, then it becomes easier for governments to censor the Internet and for attackers to stalk users' online behavior.

DNS over TLS and DNS over HTTPS are two standards for encrypting DNS queries in order to prevent external parties from being able to read them. Cloudflare DNS supports both of these standards. Cloudflare also partners with other organizations to help improve DNS security — for example, helping Mozilla enable DNS over HTTPS in its Firefox browser in order to protect users.