Wednesday, 17 June 2015

Does DNSCrypt Help in Dealing with DNS Attacks?



DNS is the most fundamental block of the internet. It is basically used while sending a mail, visiting any website, having an IM conversation or any kind of work related to the internet. DNS is one of the most attractive attack targets as it is an infrastructure service. In past, Kaminsky DNS Vulnerability has affected almost all the DNS implementation over the world. This problem was a result of some underlying foundations that were weak specifically at the “last mile.” The “last mile” is the connection between the ISP and the computer. 



DNSCrypt is a way to secure the “last mile” of DNS traffic as well as resolving the entire class of security issues that may be of serious concern with DNS protocol. There are several users of the web. Nowadays, mobile usage has been increased for which people are using several Wi-Fi networks. So, there is a need for more secure network. There have been several examples like the man in the middle attacks, tampering, snooping of DNS etc. These are serious security risks that can’t be avoided. But these need to be fixed.

Significance of DNSCrypt
 
DNSCrypt provides Internet security. It encrypts the DNS traffic that becomes secure from the man in the middle attacks or any tampering. It does not require any change in the domain name. It simply serves a way to communicate securely by encrypting between DNS servers and the end users. Claims don’t work out in the internet world. For this, there is a source to this code that is available over GitHub.  

DNS Denial-of-Service (DoS) Attacks or DNS attacks and Securing DNS Servers

 
Reflector attacks: These are the most common example of DNS vulnerabilities in the default configurations of ISC BIND as well as the DNS Server service. 

Dos attacks: These DNS attacks are difficult to defend. It was invoked against the application by taking the specific DNS lookup. Separate the recursive resolvers and the authoritative name servers so that the sites only with the authoritative name server can be queried. It prevents the external users and provides security.
Request Redirection: It occurs when the DNS query gets intercepted on the DNS server. When the request gets redirected, the name server indicates that the interception has occurred in a LAN connection. Query interception may occur on recursive queries that may be outside of the local network.

DNS cache-poisoning attack: These DNS attacks can cause high level damage as the information are sent to malicious sites. The recent attack is named as Kaminsky bug. It happened when the random values for the transactions were easily guessed. When this issue was encountered, then it was found that the sites running DNSSEC having DNSSEC validation is prone to attack. 

Zone enumeration: Enumeration of zone data happens when the user uses the DNS diagnostic commands like nslookup for a site so as to know the information regarding the network of the site.
Mitigating zone-Enumeration threats require advertising over the internet. Most of the sites run internal and external servers to splits DNS views.

Tunnels: Attention is mostly focused on the DNS query as well as the response transaction. It is a UDP transaction. However UDP and TCP transport mechanism are used. DNS TCP is used for secondary zone transfers.  

Mitigating DNS tunneling traffic depends on a combination of both traffic monitoring as well as server configuration. Zone transfers occur between the secondary server and the authoritative server.

Secure DNS Servers

 
DNSCrypt is used to secure DNS servers by encrypting the data so as to make sure that every part of the internet connection to secure DNS servers. It is a side-project at OpenDNS, which is used to protect browsing, filter content, speed up browsing experience, and correct wrong or mistyped URLs. It's a kind of simple software that can be easily downloaded and installed on the Mac, Linux or Windows system to secure DNS servers.

Conclusion


There are several types of DNS attacks like Mitigating DNS risks that depend on DNSSEC, traffic monitoring as well as configurations that separate the various DNS functions. OpenDNS has provided a world class security for several years. It is the most secure service available on the web. It is an open source tool used to secure DNS servers. The packages are available over the internet and can be downloaded directly from the OpenDNS. Officially it can be downloaded and used by the Mac OS X and Windows. But nowadays special instructions are available by following which it can be used with other systems like Android devices.

No comments:

Post a Comment