If not redirected, please click here https://www.thesecuritybuddy.com/securing-dns/what-is-dns-cookies-and-how-does-it-work/
When
we type a URL in the address bar, our computer makes a DNS query to
appropriate DNS servers and it gets the corresponding IP address,
using which it accesses the target system. Protocols like SSL/TLS,
HTTPS can ensure that the communication between the server and the
client, after the domain name resolution is done for the server, is
encrypted. But, what if an attacker takes advantage of the DNS
communication between the client and the DNS server at the time of
domain name resolution and affects that to transfer the traffic to
malicious servers or make a DoS attack ? DNS Cookies is a security
mechanism which is developed for that purpose.
DNS Cookies is
a lightweight DNS transaction security mechanism that protects DNS
servers and DNS clients from a variety of attacks like DoS attacks,
DNS Amplification attacks, DNS Cache Poisoning etc. It is a
lightweight mechanism and can work with other existing DNS
transaction security mechanisms. It can even work in the presence of
NAT and NAT – Protocol Transaction (NAT-PT).
Let’s understand
what DNS Cookies is actually and how it works.
Security Concerns of DNS
There are a number
of security concerns in the existing DNS system. Some of them are
mentioned below :
DNS Server Denial of Service Attack
When a DNS client
makes a DNS request to DNS servers, it causes much computaional
burden to the DNS serevers. A recursive server may issue one or more
requests and process the responses, which takes muc computational
resources. The situation may even get worse when DNSSEC is used, as
DNSSEC performs many cryptographic computations to verify the
authenticity of the DNS transation.
So, if an attacker
forges source IP address and sends many DNS requests to the DNS
servers, it would be very hard to identify that the requests are
forged ones. Moreoevr, it is impossible to restrict IP addresses from
which DNS requests should be honored and discarded otherwise.
As a result, an
attacker can take advantage of that and send a large number of DNS
requests to the DNS servers, so that the DNS servers get exhausted
resulting in a DoS attack.
DNS Cache Poisoning
For the first time we type a URL in the addressbar, our computer will
make a DNS query to appropriate DNS Server and once it gets a
response, it will store the IP address in its DNS Cache, with a
timestamp upto which the entry remains valid.
Within that time, if
we type google.com again, our computer will look at its DNS Cache for
the entry.
Suppose, our
computer has made a DNS query and waiting for a response from the DNS
Servers. But, instead of an authentic response it gets a response
containing IP address of the attacker's website. So, its DNS Cache
will be poisoned and next time onwards, whenever the computer will
try to resolve the IP address of the same URL, it will end up being
to the attacker's website.
In similar way, DNS
Cache of any DNS Server also may get poisoned. Because, ISP's DNS
Server gets response from other DNS Servers and it stores the
responses in its cache. If that cache is poisoned, the same poisoned
entry will spread to all home routers and from them to all computers.
DNS Amplification Attack
If
an attacker sends lots of DNS queries to DNS servers, but forges the
IP address of a victim machne as the source IP address of all the
packets, lots of DNS responses will be generated by the servers and
all of them will reach the victim machine. Normally without any
security mechanism, DNS servers cannot find out if the source IP of a
DNS request is a forged one.
As
a result, as DNS responses are much larger in size, the responses
will end up flooding the victim machine with responses and consuming
its bandwidth. And, it will cause a DoS attack to the victim machine.
Existing DNS Security
There are a number of existing security mechanisms which can be used
to secure DNS transactions. But, each of them has its own
disadvantages.
For
example, DNSSEC (How does
DNSSEC work ?) is a security extension which can be used to
verify the authenticity of a DNS transaction. DNSSEC can ensure that
the response coming from a DNS server is an authentic one and it no
doubt protects us from attacks like DNS Hijacking and DNS Cache
Poisoning.
But, as mentioned earlier, DNSSEC performs many cryptographic
computations to ensure security, which increases the computaional
burden on the DNS servers. As a result, if an attacker forges IP
addresses and sends many DNS requests to the DNS servers, it will
aggravate the situation and can easily cause a DoS attack.
Another
security mechanism is Transaction Signature or TSIG
(How
does TSIG work ? ) It uses cryptographic keys to establish a
trust relationship between a DNS client and a DNS server and secure
the DNS transation. TSIG provides good security, but it is
non-trivial to deploy. It imposes much burden to the existing DNS
system like the burden of pre-agreement and distribution of
cryptoraphic keys, keeping track of server side key state and
synchronization between a DNS client and a DNS server.
DNS Cookies is a lightweight security mechanism, which can be
implemented easily with the existing DNS system and can work together
with other security mechanisms. It does not have much overhead of
pre-configuration etc.
How does DNS Cookies work ?
In DNS Cookies mechanism, each DNS server and each DNS client
maintain a cookie. Each of them maintains a different cookie which
can be used at the time of DNS transaction to make sure that the DNS
request has indeed come from an authentic DNS client and its source
IP address is not forged.
A
client cookie is 8
byte long and it is a pseudorandom function of client IP, server IP
and a secret quantity known only to the client. This pseudorandom
function is secret to the client and can be changed periodically.
Each DNS client will have a different cookie, which can be used with
the DNS request to verify its authenticity. As a DNS cookie is only
returned to the IP address from which the request was generated, it
cannot be used to track internet users.
Similarly,
each DNS server with different IP will have a different server
cookie. This server cookie is a
pseudoransom function of client cookie, client IP and a secret
quntity known only to the server. This pseudorandom function is
secret to the server and can be changed periodically. A DNS server
must send different cookies for different clients.
DNS Cookies mechanism works in the following way :
-
A DNS client sends a DNS request and includes its client cookie along with the request. If it knows the server cookie, it sends the server cookie along with its own cookie.
-
The server receives the DNS request from the client with the client cookie. If the DNS request contains only the client cookie and not any server cookie, the server calculates a server cookie using the secret pseudorandom function using the client IP, received client cookie and the secret quantity known to the server. The server then processes the request and sends its cookie to the client, so that the client can refer it in future communications.On the other hand, if the server receives a server cookie along with the client cookie, it will verify the cookie and then process the request. It will then generate a response and send that along with the new server cookie if it generates one.
-
Different DNS clients behind a NAT box can use their own local IP addresses to have different client cookies. And, based upon these diferent client cookies, different server cookies can be generated which can be used in the DNS transactions without much confusion.
So, be aware of different security mechanisms so that you can protect
your systems in a better way and stay safe, stay secured.
Read More
What is DNSCrypt and how does it work ?
What is DNSSEC and how does it work ?
What is Dynamic DNS and how can Transaction Signature or TSIG make it more secure ?
What is DNS Cache Poisoning ?
What is DNS Hijacking ?
How can attackers steal sensitive data transferred over unencrypted emails using DNS Hijacking ?
What are the security concerns of DNS ?
What is Web Application Firewall and how does it work ?
How does Network Segmentation improve security and what is VLAN ?