With the popularity of the network, network security has become the de facto focus INTERNET way, it relates to the further development and popularization of INTERNET, or even related to the INTERNET survival. The good news is that we did not make the Internet the majority of experts are disappointing INTERNET users, network security technology are also emerging, so that the majority of Internet users and businesses have more at ease, the following major network security technology to make a profile, hoping to Internet users and businesses to provide a reference network security solutions in network security.
DNS divided Client and Server, Client playing the role of asking questions, that is, ask a Domain Name Server, and Server must answer the real IP address of the Domain Name. While the local DNS will first check your database. If your library does not, it will go to the DNS on the set of DNS queries, so after the answer, the answer received keep up and answer customer.
DNS server depending on the Empowerment Zone (Zone), the data record belongs to each domain name under this sub-domain names, and information including the host name of the domain under.
In each name server has a buffer cache (Cache), the main purpose of the cache buffer is the name of the server and check out the name of the opposing IP address is recorded in the cache buffer zone when, so the next time there is another client to the server up time query the same name, the server would not have to go looking for another host, can be found directly from the pen name record data buffer area, returned to the client accelerate client name query speed. For example:
When a DNS client queries to the specified DNS server is a host name of the DNS servers on the Internet will find the library specified by the user if there is no name, the server will first in their own cache buffer query whether the record sum, if it finds the pen name records, it will directly correspond to the IP address returned from the DNS server to the client, if the name of the server in the data recording and finding the cache buffer is also no, the server will first will be the name of the query to another name server. For example:
DNS client queries to the specified DNS servers on the Internet for a host name when a DNS server can not find the data record specified by the user's name, will turn the cache cache server to find whether there is the data cache when the cache to be found, would be the closest name server to ask for help to find the IP address of the name, and on another query server is also the same operation, when the query will return back to the original requires the server to query the DNS server after receiving the results of another DNS server queries, the first query to the host name and the corresponding IP address is recorded to the cache buffer zone, and finally the results of the query to reply to the client
common DNS attacks
1) the domain name hijacking
By using hacking password management control of the domain name and domain management mailbox, and then the domain NS record to point to the DNS server hacker can control, then add the appropriate domain name record on the DNS server, allowing users to access the when the domain name to enter the hacker pointed content.
This is clearly the responsibility of the DNS service providers, users helpless.
2) cache poisoning
use control DNS cache server, originally going to visit a site user to other sites pointing to a hacker unwittingly. Its implementation in different ways, such as through the use of Internet users in the ISP's DNS cache server vulnerability to attack or control, thereby changing the response users access the domain name of the ISP within; or, hackers exploit vulnerabilities on the user's authoritative name servers, for example, when a user authoritative name server and can be used as the cache server, the hacker can achieve cache poisoning, the wrong domain name record into the cache, so that all users of the cache servers get the wrong DNS resolution result.
The recent discovery of major defects DNS is this way. Just so that is significant defect, reportedly because the agreement itself is the design and implementation problems caused almost all DNS software such problems.
3) DDOS attacks
an attack against the DNS server software itself, often use BIND software program vulnerabilities in DNS server crash or cause denial of service; the goal is not to attack another DNS server, but to use the DNS server as a middle attack Amplifiers , to attack other hosts on the Internet, leading to a denial of service attack the host.
4) DNS spoofing
DNS spoofing is when an attacker posing as domain name servers cheating.
principle: If you can impersonate the domain name server, then the IP address queries to the attacker's IP address, in this case, Internet users can only see the attacker's home page, rather than the home user wants to get website , this is the basic principle of DNS spoofing. DNS spoofing is actually not really black out the other site, but an imposter, a trickster Bale.
Some preventative measures to prevent DNS attack
sharp increase in DNS amplification attacks (DNS amplification attacks) on the Internet. This attack is a large number of variants A data packet can be generated for a target of a large number of false communications. The number of such false communication how much? Per second up to several GB, enough to deter anyone access to the Internet.
with the old smurf attacks attack is very similar, DNS amplification attacks against innocent third parties using spoofed packets to amplify traffic, its purpose is exhausted victims full bandwidth. However, smurf attacks attack is sent to a network broadcast address of the packet in order to achieve the purpose of communication to enlarge. DNS amplification attacks does not include a broadcast address. On the contrary, this attack sends small and fraudulent information to a series of inquiries innocent third party DNS server on the Internet. The DNS server then will be presented on the surface is that the query server sends back a large number of responses, resulting in an enlarged traffic and ultimately target submerged. Because DNS is a stateless UDP packet based, to take this kind of cheating is commonplace.
This attack relies mainly on the implementation of DNS queries 60 bytes or so, up to 512 bytes of reply, so that the traffic enlarged 8.5 times. This attacker is good, but still did not meet the attackers want the flooding level. Recently, the attackers used a number of techniques to update the current DNS amplification attacks several times.
Many current DNS servers support EDNS. EDNS DNS is set to expand the mechanism, RFC 2671 Dui times have introduced. Some choose to allow DNS reply to more than 512 bytes and still use UDP, if the claimant states that it can handle such a large DNS query words. Attackers have used this method to generate a lot of traffic. By sending a 60-byte query to obtain a record of approximately 4000 bytes, the attacker can zoom 66 times the amount of traffic. Some attacks of this nature has produced a lot of traffic per GB, for some targeted attacks even more than 10GB per second of traffic.
To achieve this attack, an attacker would first have to find a third-party DNS server (most DNS servers have this set up) a person on behalf of several queries on the Internet implementation cycle work. With support for cyclic query, the attacker can send a query to a DNS server, DNS server then sends the query (in a circular manner) is sent to the attacker's choice of a DNS server. Next, the attacker sends a DNS record queries to those servers, this record is an attacker on your DNS server control. Since these servers are set to loop the query, these third-party servers to the attacker back to these requests. An attacker on the DNS server stores a 4000-byte text used for this DNS amplification attacks.
Now, since the attacker has joined the large number of records to a third party DNS server's cache, the next attacker sends a DNS query message (with the option to enable a large number of responses EDNS) to these servers, and fraudulently make those who think that this DNS server query information from the IP address of the attacker hopes to attack the issue. These third-party DNS servers so they respond with this text record 4000 bytes, with a large number of UDP packets flooding victims. Attacker to issue millions of small and deceptive query information to a third party DNS servers, the DNS server will respond with a large number of DNS packets that the victim drowned.
How to defend against such a massive attack? First, make sure you have enough bandwidth to withstand the flood of small-scale attacks. A single T1 line for Internet connection is important enough, because any malicious scripts teenager can consume your bandwidth. If your connection is not mission critical, a T1 line is enough. Otherwise, you will need more bandwidth to withstand the flood of small-scale attacks. However, almost no one can afford a few GB per second of DNS amplification attacks.
So, you want to ensure that there is on hand to work with your ISP to get in touch at any time of the emergency telephone number. Thus, in the event of such an attack, you can immediately contact your ISP and let them upstream filter out such attacks. To identify this attack, you want to view the DNS reply contains a large number of communications (source UDP port 53), in particular, to see which port has lots of DNS records. Some ISP has deployed over the entire sensor network to detect a large number of various types of early communication. This way, your ISP is likely to recognize and avoid this kind of attack before you find this attack. You have to ask your ISP whether to have this ability.
Finally, to help prevent a malicious person to use your DNS server as a DNS amplification attack embodiment of this agency, you have to ensure that you can access from an external DNS server only for your own network query execution cycle, not any address on the Internet for such inquiries. Most major DNS server has the ability to limit the inquiry cycle, so they only accept certain query the network, such as your own network. By preventing the use of cyclic loading large query harmful DNS records, you can prevent your DNS server becomes part of the problem.