A DNS Primer

We’ve seen a lot of fear, uncertainty and doubt around the DNSChanger botnet / malware recently, which has caused a lot of speculation about the security of DNS. But what is it, and why – if at all – should we worry?

Essentially, people find it easier to remember words than numbers, which is why we have domain names in the style that we do today, i.e. www.bbc.co.uk. But machines work with numbers, not words, so networks automatically convert these domain names into the IP addresses that we’re all familiar with. More specifically, devices such as PCs transmit web page requests to their ISP, and somewhere along the line, the ISP finds a Domain Name Server. The Domain Name Server translates the domain name (for example, www.yubnub.org) into an IPv4 or IPv6 address (for example, 207.7.108.156 or FE80:0000:0000:0000:0202:B3FF:FE1E:8329) and then into a binary IP address.

Domain Name Servers don’t store an infinite cache of these translations, so they’ll frequently bounce requests further up the chain to other servers until the IP address is found.

The DNSChanger Botnet infected user PCs and redirected DNS requests to rogue DNS servers, which misdirected traffic to pages with fake advertising on it, compromising 4m PCs and apparently generating $14m in revenue for the hackers. This is reasonably simple to do by editing the ipconfig settings on a machine and is probably how the DNSChanger malware worked. People have also long since used the HOSTS file on a PC to block undesirable websites by changing how computers process domain name requests – it doesn’t always have to be done at the server level.

There are further possible misapplications of DNS hacking, and the FUD has been extensive. However, for a long time, we have been talking about the possibilities of DNSSec, digitally signing DNS transactions using PKI, making sure that servers are valid and that data is not changed in transit.

DNSSec doesn’t encrypt data or provide confidentiality, but it does make sure that data has come from – and is going to – the right place. Whilst this will generate more demands on processing for web servers, they can look into DNS offload, putting the DNS processing onto different servers in much the same way as SSL offload is already done by many servers. This chain of trust would have prevented the DNSChanger from operating, and would also stop ‘cache poisoning’.

DNS can seem like a reasonably harmless thing to corrupt, falling more into ‘mischievous’ than ‘malicious’ hacking, but DNSChanger malware – as evidenced by the four million compromised PCs and $14m of revenue – has proved otherwise.

Whilst we should always be careful to avoid jumping at every ‘movie plot threat’ as Bruce Schneier says, DNSSec would certainly solve a multitude of problems reasonably easily. And for this reason, it should be worth a look.