DNS Series Part 2:Monitoring for DNS Security Young Xu, Product Marketing Analyst

2

•  November 15th 2016 •  An overview of the Domain Name System, resources,

records, name resolution and name servers.

DNS Webinar Series

•  January 17th 2017 •  An in-depth view on how to monitor and alert on DNS

availability, response time and record mappings.

Intro to DNS

Monitoring DNS Records and Servers

•  December 13th 2016 •  Tips and examples covering DNS hijacking and DDoS

attacks on DNS infrastructure. DNS Security

3

About ThousandEyes ThousandEyes delivers visibility into every network your organization relies on.

Founded by network experts; strong

investor backing

Relied on for "critical operations by leading enterprises

Recognized as "an innovative "

new approach

31 Fortune 500

5 top 5 SaaS Companies 4 top 6 US Banks

4

Saturates network links, hardware or servers to

deny service

Two DNS Security Threats

Spoofs DNS mappings to

reroute traffic to a malicious endpoint

DDoS DNS Hijacking & Poisoning

5

Network Topology of a DDoS Attack

Chicago, IL

domain.com London

Tokyo

Atlanta

Portland, OR

Sydney

Attackers flood your web service from around the world

Internet Enterprise

6

Cloud-Based DDoS Mitigation

Chicago, IL

domain.com London

Tokyo

Atlanta

Portland, OR

Sydney

Internet Enterprise Scrubbing Center

Traffic is rerouted, using DNS or BGP, to cloud-based scrubbing centers and ‘real’ traffic is routed back to your network

7

Monitoring for DDoS Attacks Global Availability Mitigation Deployment

Mitigation Performance Vendor Collaboration

8

DNS Hijacking

9

DNS Cache Poisoning

Local DNS Cache

Authoritative DNS Server

dns.website.com

Attacker

www.website.com

Attacker DNS Server

dns.attack.com

www.attack.com

Attacker inserts a false record into the

DNS cache

Unsecured DNS server, no DNSSEC, no port

randomization

User

1

User requests DNS record for

www.website.com

2

Looks up record on spoofed

name server

3

User accesses spoofed URL

4

10

Monitoring for DNS Hijacking & Poisoning Global Availability Verify Mappings

DNSSEC Validation Alerting

11

Monitoring for DNS Security Managed DNS

Provider

Internet

1 On-Premises DNS Local caching resolvers and self-hosted DNS

2 Hosted DNS Authoritative, TLD and Root Name Servers

Access Networks

Cloud Agents & DNS+ Vantage Points

Enterprise Agents

Branch

Data Center

12

Alerting for DNS Security Scenario Test Type Threshold

DDoS - Performance Impact DNS Server DNS+ Domain DNS+ Server

Resolution Time ≥ _____ms

DNS Server DNS Trace Error is present

DNS+ Domain Availability ≤ _____% Reference Availability ≤ _____%

DDoS - Mitigation Activation BGP Origin ASN in _____ Next Hop ASN in _____ Prefix not in _____

DNS Hijacking & Poisoning DNS Server DNS Trace Mapping not in _____

DNS+ Domain Mapping not in _____ % of Mappings > _____%

13

•  Stay informed about new vulnerabilities

•  Automated patch management

Tips for Secure DNS Management

•  Global DNS integrity monitoring with alerts

•  DNSSEC

Operational Protocol

•  Service resiliency

•  Avoid single points of failure

•  Diversify DNS providers

Architecture

Read more: https://blog.thousandeyes.com/secure-dns-management-best-practices/

Demo

15

DDoS: Dyn Sees Availability and Loss Issues

Correlates with 100% packet

loss

Low of 0% availability

16

DDoS: Dyn Traffic Terminates in Telia

Anycast IP accessible from some locations

Traffic terminating in Telia network

17

DNS Hijack: Craigslist Records Compromised

Spoofed mapping

Vantage points with spoofed

record

Prevalence of spoofed mapping over time

18

Networks with Records to Flush Breakdown available by

country and network

Number of vantage points with spoofed records

19

See what you’re missing.

Watch the webinar:

https://www.thousandeyes.com/resources/monitoring-for-dns-security-webinar