DNS security management

NS Security Management
Contents
Preface
Acknowledgments

1 Introduction
Why Attack DNS?
Network Disruption
DNS as a Backdoor
DNS Basic Operation
Basic DNS Data Sources and Flows
DNS Trust Model
DNS Administrator Scope
Security Context and Overview
Cybersecurity Framework Overview
Framework Implementation
Whats Next

2 Introduction to the Domain Name System (DNS)
DNS Overview --
Domains and Resolution
Domain Hierarchy
Name Resolution
Zones and Domains
Dissemination of Zone Information
Additional Zones
Resolver Configuration
Summary

3 DNS Protocol and Messages DNS Message FormatEncoding of Domain Names
Name Compression
Internationalized Domain Names
DNS Message Format
DNS Update Messages
The DNS Resolution Process Revisited
DNS Resolution Privacy Extension
Summary

4 DNS Vulnerabilities
Introduction
DNS Data Security
DNS Information Trust Model
DNS Information Sources
DNS Risks
DNS Infrastructure Risks and Attacks
DNS Service Availability
Hardware/OS Attacks
DNS Service Denial
Pseudorandom Subdomain Attacks
Cache Poisoning Style Attacks
Authoritative Poisoning
Resolver Redirection Attacks
Broader Attacks that Leverage DNS Network ReconnaissanceDNS Rebinding Attack
Reflector Style Attacks
Data Exfiltration
Advanced Persistent Threats
Summary
5 DNS Trust Sectors
Introduction
Cybersecurity Framework Items
Identify
Protect
Detect
DNS Trust Sectors
External DNS Trust Sector
Basic Server Configuration
DNS Hosting of External Zones
External DNS Diversity
Extranet DNS Trust Sector
Recursive DNS Trust Sector
Tiered Caching Servers
Basic Server Configuration
Internal Authoritative DNS Servers
Basic Server Configuration
Additional DNS Deployment Variants
Internal Delegation DNS Master/Slave Servers Multi-Tiered Authoritative ConfigurationsHybrid Authoritative/Caching DNS Servers
Stealth Slave DNS Servers
Internal Root Servers
Deploying DNS Servers with Anycast Addresses
Other Deployment Considerations
High Availability
Multiple Vendors
Sizing and Scalability
Load Balancers
Lab Deployment
Putting It All Together
6 Security Foundation
Introduction
Hardware/Asset Related Framework Items
Identify: Asset Management
Identify: Business Environment
Identify: Risk Assessment
Protect: Access Control
Protect: Data Security
Protect: Information Protection
Protect: Maintenance Detect: Anomalies and EventsDetect: Security Continuous Monitoring
Respond: Analysis
Respond: Mitigation
Recover: Recovery Planning
Recover: Improvements
DNS Server Hardware Controls
DNS Server Hardening
Additional DNS Server Controls
Summary
7 Service Denial Attacks
Introduction
Denial of Service Attacks
Pseudorandom Subdomain Attacks
Reflector Style Attacks
Detecting Service Denial Attacks
Denial of Service Protection
DoS/DDoS Mitigation
Bogus Queries Mitigation
PRSD Attack Mitigation
Reflector Mitigation
Summary
8 Cache Poisoning Defenses
Introduction
Attack Forms
Packet Interception or Spoofing
ID Guessing or Query Prediction
Name Chaining
The Kaminsky DNS Vulnerability
Cache Poisoning Detection
Cache Poisoning Defense Mechanisms
UDP Port Randomization
Query Name Case Randomization
DNS Security Extensions
Last Mile Protection

9 SECURING AUTHORITATIVE DNS DATA
Introduction
Attack Forms
Resolution Data at Rest
Domain Registries
DNS Hosting Providers
DNS Data in Motion
Attack Detection
Authoritative Data
Domain Registry
Domain Hosting
Falsified Resolution
Defense Mechanisms
Defending DNS Data at Rest
Defending Resolution Data in Motion with DNSSEC
Summary

10 ATTACKER EXPLOITATION OF DNS
Introduction
Network Reconnaissance
Data Exfiltration
Detecting Nefarious use of DNS
Detecting Network Reconnaissance
DNS Tunneling Detection
Mitigation of Illicit DNS Use
Network Reconnaissance Mitigation
Mitigation of DNS Tunneling

11 MALWARE AND APTS
Introduction
Malware Proliferation Techniques
Phishing
Spear Phishing
Downloads
File Sharing
Email Attachments
Watering Hole Attack
Replication
Implantation
Malware Examples
Malware Use of DNS
DNS Fluxing
Dynamic Domain Generation
Detecting Malware
Detecting Malware Using DNS Data
Mitigating Malware Using DNS
Malware Extrication
DNS Firewall
Summary

12 DNS SECURITY STRATEGY
Major DNS Threats and Mitigation Approaches
Common Controls
Disaster Defense
Defenses Against Human Error
DNS Role-Specific Defenses
Stub Resolvers
Forwarder DNS Servers
Recursive Servers
Authoritative Servers
Broader Security Strategy
Identify Function
Protect Function
Detect Function
Respond Function
Recover Function

13 DNS APPLICATIONS TO IMPROVE NETWORK SECURITY
Safer Web Browsing
DNS-Based Authentication of Named Entities (DANE)
Email Security
Email and DNS
DNS Block Listing
Sender Policy Framework (SPF)
Domain Keys Identified Mail (DKIM)
Domain-Based Message Authentication, Reporting, and
Conformance (DMARC)
Securing Automated Information Exchanges
Dynamic DNS Update Uniqueness Validation
Storing Security-Related Information
Other Security Oriented DNS Resource Record Types
Summary

14 DNS SECURITY EVOLUTION

Appendix A: Cybersecurity Framework Core DNS Example
Appendix B: DNS Resource Record Types
Bibliography
Index