What is DNS security and why it is necessary to protect the DNS for a navigation without risks. In this article we remind you the meaning of DNS, we analyze its vulnerabilities exploited by cybercriminals and we show the best solution.
1. What is a DNS
DNS security – hence the security of the DNS – is an especially hot topic, because the vulnerabilities of the DNS protocol are exploited by cybercriminals to bypass traditional protection systems. In order to understand why this happens and especially how to defend personal and company devices, let’s try first of all to explain the context.
The DNS (Domain Name System) is often defined as the phone book of the Internet. It is a hierarchical denomination system, decentralized, used to identify computers and services that can be reached over the net. We generally have two ways of accessing an Internet website or a specific web page. We can type the name of the domain of the website (flashstart.com) directly in the navigation bar of the browser, or else we activate the opening of a link towards a page (https://flashstart.com/filtering-dns/), which maybe we received via email or chat.
But, when in the browser’s navigation bar you type flashstart.com and click Send, the browser automatically transforms (resolves) the domain name into an IP address, since the computer recognizes the IP and not a text string. Actually, the browser demands the Internet Provider we use to ask the DNS resolution services, which we will talk about shortly, to convert the domain name into a sequence of numbers and dots.
In the case of flashstart.com the IP address is 188.8.131.52. This means that the navigation program connects to the server that has that address and that hosts the website flashstart.com. More specifically, the first three parts of the IP, in case we have an IP of the type Ipv4, correspond to the network ID while the last one to the host ID, that is the user’s device.
It should be underlined, however, that there is no unique correspondence between the IP address and the domain name. For example, the domain name 184.108.40.206 corresponds to 44 thousand websites hosted on the same server. Hence, the DNS is the way in which a domain name is associated with an IP address.
But DNS is also the protocol that rules over the functioning of the service. The system was introduced in 1983 and its original features are described in the protocol RFC 882. RFC (Request for Comment) is a document that precisely explains in detail how the DNS system should work.
In practice, the DNS system is a universal register, a distributed database of DNS servers, categorized first of all by domain extensions (.com, .it, .edu). Every domain corresponds to a “container” that files information about the domains and that is also able to obtain information about other, non-archived, domains. Among the database records, obviously, the most important is the IP address corresponding to the domain name, which is what the browser will receive in order to access the requested website.
The servers spread around the world and that file and manage the names of the domains, categorized according to the domain extensions (technically called DNS root zones) are called root nameservers. There exists 13 root nameservers in the entire world.
>> FlashStart protects you from a wide range of threats and prevents access to malicious websites → Start your free trial now
2. Why is the DNS vulnerable
The path connecting the computer to the website that the user wants to reach, hence the other computer with which he wants to establish a connection, is marked by several databases or tables that are somehow connected to the DNS resolution. One of these is in our home and is part of our modem/router. Moreover, every computer includes a text file with the list of some domain name – Ip associations. This is a file that is “read” by the computer in case there are connections between computers within the same local network. There are several DNS systems along the path for two main reasons: executing the correct association and speeding up the navigation. The faster the transformation, the faster the connection between two computers, and hence the navigation.
And it is exactly on the different association tables encountered over the path that cybercriminals can act. The basic principle they exploit is rather simple: modifying the tables in order to associate a domain’s name with an incorrect IP address that takes you to a dangerous website, service or resource. The user types the domain name or clicks on an apparently “clean” link and will end up in hell.
Man-in-the-middle attacks, to give you a simple example, modify the Internet traffic, moving it towards a “transparent” proxy service that intercepts the traffic and, hence, all the information transiting.
Like many Internet protocols, the DNS system was not designed thinking about potential risks for security. These limits make the DNS servers vulnerable to many types of attacks. These include spoofing, amplification DDoS (Denial of Service) and, as we said, the theft of private and personal information. It is clear that, if the DNS system is fundamental in order to navigate, it is also the most manipulated one to carry out an attack.
Moreover, DNS attacks go hand in hand with other types of attacks. Cybercriminals use them to “distract” the network administrators in a company while the incursion takes place in another way.
DNS spoofing, tunneling, hijacking, nxdomain attack, phantom, random subdomain, domain lookup, botnet CPE (Customer Premise Equipment, such as the home router) are the types of attack that can be carried out using the DNS system. So, one way or another, all hackers try to modify the DNS database by re-addressing the requests.
>> You can activate the FlashStart® Cloud protection on all Routers and Firewalls to grant the security of your desktop and mobile devices and of IoT devices on local networks
3. How to solve the problem of DNS Security
Since it is clear that we need to act in order to better protect the DNS systems, already by the end of the 90s the protocol was updated with some security extensions, the so-called DNSSEC (Domain Name System Security Extensions).
These extensions introduced an authentication process in the exchange of information among DNS systems, but it is not enough, since the authentication is encrypted and non-alterable, but information is not. If, as it happens, the attackers gain access to the databases, tables and rules present in the servers that host the DNS systems, there is no authentication capable of noticing that the data has been modified at the origin.
Therefore, what shall we do? The ideal solution would be that the world organizations that manage DNS servers had full control over these systems, but these must be by definition open and easy to manage. And, in any case, if a control that does not slow down these systems was possible, vulnerable local tables would nevertheless exist.
DNS Security deals exactly with finding appropriate solutions to reach just one aim: protecting the DNS server. A DDos can be contrasted, for example, by preparing the DNS servers to accept more requests than those received on average, or through a redundant system that can save the service. A specific hardware can also be used, such as a DNS Firewall.
Or else, a company or a final user can use a content filter that acts also on the DNS encountered during the communication between a computer, a smartphone or a tablet and the website that they want to reach.
4. How does a filter for the protection of DNS work
To protect the navigation, at home as well as in the office, and avoid access to dangerous or inappropriate websites, it is useful to use a filter. This is a solution that today is available as a cloud-based service that installs a small agent – on the computer or on the router – that does not impact the speed of navigation.
A DNS filter allows you to filter Internet contents based on the control of the DNS of a specific website. Considering what we have said up to now, to protect navigation best, it is better to use a DNS filter that acts right from the first user’s request. This is the case because the DNS controls take place at different levels, starting from the first, the one pre-set by the Internet Service Provider inside the client’s router.
A DNS filter works directly on the numerical IP addresses that the user wants to access, by verifying their conformity with the rules established by the system and eventually blocking access at the origin. In this way, the filter blocks dangerous contents such as malware, ransomware attacks and phishing attempts, and it blocks access to undesired contents, such as porn and online gaming.
Moreover, within a company, a DNS filter, such as the solution offered by FlashStart, can be installed directly in the gateway or in the company router with no need to purchase, install and maintain any additional hardware.
When choosing the DNS filtering system it is important to consider three aspects: its distribution, its latency and the continuous updating of the control tables. By distribution we mean the width of the service: the more DNS databases can be consulted, the more accurate the filter is. FlashStart, for example, is distributed at the global level through an Anycast network of datacenters located in the different continents that allow for instantaneous connections.
Another fundamental aspect is that of latency: the higher it is and the slower the navigation. The FlashStart DNS filter grants a latency close to zero, and hence a safe and also fast navigation.
Also the continuous updating is a fundamental feature. FlashStart uses a mix of human and artificial intelligence to constantly scan the web and intercept new threats. If a DNS is deemed dangerous, it is added in real time to the lists available in the cloud in order to grant customers with a constantly updated protection service. Last but not least, FlashStart grants an assistance service active 24/7 in Italian, English and Spanish.
>> If you have already activated FlashStart, read this guide that explains how to extend the Blacklists for Internet DNS filtering
You can activate the FlashStart® Cloud protection on any sort of Router and Firewall to secure desktop and mobile devices and IoT devices on local networks