If you basically live online, and you may have noticed that your computer does a lot of stuff to make your experience as seamless and painless as possible. One of these features that the Internet provides is invisible address translation. When you visited this webpage (or any webpage), it’s safe to assume that you didn’t look up and type in the IP address of the web server. Instead, you probably typed in a domain name (like geekdashboard.com), and your computer figured out how to get from that address to the web server’s IP address.
Accomplishing this requires using the Domain Name System (DNS). DNS is one of the protocols that make the Internet work. This means that it’s important to ensure that DNS continues to work (by deploying DDoS protection) and that there’s a way to prevent its abuse.
In this article, we’ll talk about the relationship between DNS and Denial of Service (DoS) attacks:
A Quick Intro to DNS
DNS is crucial to the operation of the Internet because it acts as the lookup table from domains to IP addresses. Domain names are useful on the Internet because they’re easy for humans to remember. It’s a lot easier for an advertiser to send you to a website that sounds like their company name than to try to get you to remember (and visit) an IP address like 172.217.8.206 (that one belongs to Google). Not to mention, with cloud storage, many different domains are hosted on the same web servers with the same IP addresses.
The Internet doesn’t work on domains though, as addressing is based upon IP addressing. The conversion is where DNS servers come in. A DNS server is a computer that specializes in receiving requests for a certain set of domain names and providing responses on the IP addresses to contact.
DNS servers work based off of a hierarchy. If you want to visit google.com (and your computer doesn’t already know Google’s IP address), you start by contacting a .com DNS server. At this point, you’re asking that server for the IP address of the google.com DNS server. Once you have the response, you can query the google.com DNS server for the IP address for any website within that domain, like mail.google.com and docs.google.com.
The correct operation of these DNS servers is crucial to the Internet. While there may be several DNS servers for certain domains (like .com), companies may only have a single DNS server for their internal websites. If this server is disabled (by a Denial of Service attack or similar), people won’t be able to find and visit those websites.
Breaking DNS with DoS
Since DNS is such a crucial part of how the Internet works, the potential for DoS attacks against DNS servers is a real threat. A DNS server taken down by a DoS or Distributed DoS (DDoS) attack means that any webservers that rely upon that DNS server for routing traffic to them will no longer be accessible to users.
This is how the Dyn DDoS attack of 2016 took down a significant portion of the Internet. By overwhelming 20 Dyn data centers, attackers were able to deny access to websites relying on Dyn for their DNS resolution. Since Dyn clients included Amazon, Etsy, Shopify, and Twitter (among 1,200 others), the impact was widely felt. The attack was enabled by attacker-controlled botnets and crippled the Internet for several hours.
The Dyn DDoS attack is a clear example of the need for DDoS protection for DNS servers. Disabling a relatively small number of servers had a worldwide impact on access to Dyn’s clients (at least 1,200 domains). DDoS protections on the DNS data centers could have allowed Dyn to whether the attack while still providing essential services.
Creating DoS with DNS
Unfortunately, the relationship between DNS and DoS doesn’t end with the potential impacts of a DoS attack against critical DNS servers. DNS attacks can be used to increase the impact of a DoS attack through a technique called DNS amplification.
All DoS amplification attacks take advantage of an asymmetry between the size of the request and response packets of an Internet protocol. DNS requests are relatively small since their main goal is to inform the server that someone wants the IP address of a given domain and who to send the answer to. Responses are significantly larger since they include all of the information contained in the request as well as the data that the requestor was asking for.
This asymmetry allows attackers to use DNS to increase the impact of a DoS attack. By creating a DNS request and spoofing the source address to the target computer, the attacker ensures that a larger packet will be sent to the recipient. This asymmetry between the amount of traffic through the attacker’s and target’s network allows a computer to overwhelm a target with more network bandwidth and processing power.
Protecting Against DoS
DNS serves a crucial role on the Internet since it enables computers to find a different computer that they need to talk to in order to fulfill a user’s request for a given URL. This critical role means that DNS servers need to be protected against DoS attacks and can’t be blocked to remove the potential for them to be used in DNS attacks.
Luckily, solutions already exist and are in the works for dealing with the relationships between DNS and DoS. Owners of DNS servers can and should deploy a DDoS protection solution to protect access to their sites. The DNSSEC protocol (currently in development) will help solve the problem of DNS amplification attacks by making it more difficult for an attacker to spoof the victim’s address in a malicious DNS request.