Design, Implementation and Monitoring of The Firewall System For A DNS Server Protection
Design, Implementation and Monitoring of The Firewall System For A DNS Server Protection
Design, Implementation and Monitoring of The Firewall System For A DNS Server Protection
Abstract—Today DNS servers run on many different category is the use of the DNS server within the man-in-the-
applications and operating systems what means there are many middle attack
options how to protect DNS server. Each regular application has
implemented security mechanisms that protect the system from
II. POPULAR ATTACKS ON A DNS SERVICE
standard attacks. DNS service works on application layer,
however it is possible to prevent many threats already on lower
A. Cache poisoning
layers. This paper deals about DNS security mechanisms
applicable on transport a network layer. The proposed protection Attacker tries to add his own DNS record into the cache of
technique is based on traffic shaping, flow filtering and the server, so DNS will point on the fake IP address. Very
prioritization. The presented experiments were performed in often used by attackers instead of old phishing methods where
subarea of real campus network that is used by students and the user can see the suspicious URL. Attacker creates fake
university staff. Because of implemented security mechanisms the bank’s website and into provider’s caching DNS imports
performance of DNS service for internal users has not been record pointing on the IP address of his fake site. Client of the
affected. victim bank has no chance to recognize the difference.
Keywords—domain; DNS; server; firewall; In a past, attacks used just a vulnerability of DNS
applications, today attacker has to firstly disable authoritative
I. INTRODUCTION DNS server of victim URL, or least respond before him. When
a DNS caching server obtains a query of the domain which it
The firewall systems are generally known as a system for does not have in cache will ask an authoritative server and
filtering traffic according to an IPv4 or IPv6 address, MAC waits for its reply. One of the method how to avoid this
address or port number. The firewalls are usually used if there problem is using the DNSSEC [2]. Cache poisoning belongs to
is a need to restrict access to a specific part of a network or a the application layer and the firewall is here inefficient.
host, with the rules based just on the parameters mentioned
above. However, firewall systems are more sophisticated and B. Amplifying DNS attack
more effective if use specific policy on specific place in a
network topology according to protected protocol or network These attacks are a good example why use the firewall to
service. The sophisticated approach means that firewall uses protect yours DNS servers. Amplifying attacks uses one big
more features like traffic shaping, more TCP parameters than disadvantage of a DNS server. If DNS server receives a Query
only the port number, limitation based on number of that has couple of bytes, responses are several times bigger. As
connections, logging etc. you can see on a Figure 1, captured by Wireshark, legitimate
communication (for type A record) was amplified 4.4 times.
Domain Name Systems use both protocols on the transport
layer (TCP and UDP). Users send Query messages and get
Replies on UDP port 53, however servers between themselves
usually use TCP on the same port number, for example during
the zone exchange. Because of this, is able to suppose
communication on UDP for caching DNS server and mostly
use of the TCP protocol for authoritative DNS server.
Difference between authoritative and caching DNS server is Figure 1: Sample of a DNS Query and DNS Reply size
described in RFC documents [1]. Value of the Length shows the size of the Ethernet frame in
We can divide attacks on DNS into two big categories. First the byte units. However, these are standard Queries (types A
category (Denial of Service attacks) tries to make the service and AAAA) which carry only necessary information for typical
unusable. The second category makes attacks where is not user. The problem arises, when the user requests for the
directly victim a DNS server, but serving as an amplifier of the information of the whole domain with the record type ANY.
performed attack. What means, the product DNS server turns On the Figure 2 user requested all records for the domain
into an attacker. Both types of attacks are undesirable, but first google.com and get response that contains only few records.
category is more dangerous. Small sub category of the second The amplification factor in this example only 7.7, because the
google servers are perfectly administered and secured.
Authorized licensed use limited to: Consortium - Saudi Arabia SDL. Downloaded on September 26,2020 at 21:45:58 UTC from IEEE Xplore. Restrictions apply.
Badly configured DNS server should amplify data flow directly in the service daemon. Attackers usually exploit
40 - 60 times. operating system holes.
D. DNS Hijacking
Figure 7: Traffic shaping - buffering overload
Similar attack to Cache poisoning but the attacker changes
records on an authoritative DNS server. Usually only option As seen on the Figure 6 border, which divides whole
how to perform such a difficult attack is to break into the bandwidth on allowed band and prohibited area is called
operating system, which runs the server, and then edit records threshold. Traffic passing threshold is drawn by dashed line
and is dropped.
Authorized licensed use limited to: Consortium - Saudi Arabia SDL. Downloaded on September 26,2020 at 21:45:58 UTC from IEEE Xplore. Restrictions apply.
The principle of real traffic shaping is shown on Figure 7, approach is that the DNS attacks from the Internet can never
where original traffic drawn by dashed line is shaped. The exhaust whole bandwidth and server is always accessible at
shaped traffic is drawn by thick line. Overload traffic is stored least from the LAN and subnet for example also for the
in a buffer memory where waits until less traffic flows through management purposes.
the line and then stored traffic is sent.
In this case, model works only for the traffic related to port
53, which is DNS traffic. It is possible to adapt traffic shaping
B. Quality of Service and QoS for specific port range or whole line.
By marking specific traffic with label is possible assign to
this traffic priority. The traffic with higher priority is It is possible reserve some bandwidth for large trusted
prioritized. recursive DNS servers, like Google, and ensure that large part
of the Internet will have access to the records always. This kind
of the approach cannot ensure 100% protection from the DoS
and DDoS, but can ensure that there will not be 100%
blackout.
B. Prohibited networks
Also firewall should have typical elements like deny all
private IP described in RFC 1918 [3], deny all packets with the
loopback source address, DHCP auto-configuration address or
multicasts (class D) and experimental addresses (class E), etc.
Authorized licensed use limited to: Consortium - Saudi Arabia SDL. Downloaded on September 26,2020 at 21:45:58 UTC from IEEE Xplore. Restrictions apply.
## Rules for DNSv4 However, when administrator reserves some bandwidth for
$cmd 400 queue 1 ip from $ktam4 to $ipv4 53 a management traffic he can still get detailed information
$cmd 401 queue 2 ip from $uniza4 to $ipv4 53 which part or service does not work and still connect to a
$cmd 402 queue 3 log ip from any to $ipv4 53 device with remote access.
## Rules for DNSv6
$cmd 403 queue 1 ip6 from $ktam6 to $ipv6 53 If is monitor just traffic flows to the DNS at least is able to
$cmd 404 queue 2 ip6 from $uniza6 to $ipv6 53 have statistical information about average traffic. Sometime is
$cmd 405 queue 3 ip6 from any to $ipv6 53 possible to see some traffic bursts as peaks in a graph. This
Figure 10: Firewall configuration example means that high traffic passes in short time, e.g. new DNS
record queries arriving. If it is possible observe high traffic for
Firstly, three pipes are created, each with specific
a long time, it will need to consider fact that some attack
throughput in kbps. Next are assigned priority values to these
occurred (Figure 11). With empirical study of traffic is possible
pipes. Finally, is each pipe assigned to specific network type,
to identify normal behavior and unusual behavior. However, it
firstly for IPv4 and secondly for IPv6 traffic. Networks are
is important realize that every unusual traffic behavior is
represented with variables.
potential attack which occurs or service failure.
VI. TRAFFIC MONITORING Anyway, it is really necessary to monitor passing traffic
load as well as any other parameters, like service status,
It is a good approach to monitor a traffic passing by the especially when server runs more than one service. Because the
firewall or generally traffic aiming to the DNS. If the system traffic can flow no matter the one service is running or not.
administrator is able to monitor actual load in each pipe he will Also you can monitor server resources, because some attacks
be informed about traffic jam in some of them and he can are more sophisticated, which is able to see right on resource
investigate the reasons. graphs and traffic graph shows normal output. For these
The traffic shaping design helps to monitor the services purposes is possible to use many open-source services
remotely by means of SNMP or another protocol even during (RRDTOOL) as well as a commercial service.
the DNS DoS attack, because, there is free link capacity for
non DNS traffic. Therefore, the administrator is able to connect
to the server during the attack and administrate the system
remotely.
Authorized licensed use limited to: Consortium - Saudi Arabia SDL. Downloaded on September 26,2020 at 21:45:58 UTC from IEEE Xplore. Restrictions apply.
A. Attacker’s Terminal B. Normal operation
Attacker uses common personal computer with Kali Linux During the normal operation of monitored DNS severs, was
[6] operating system installed. This Linux distribution is very maximal outgoing traffic around 7 kbps and the operational
popular for penetrating tests. To perform the TCP SYN traffic from 5 kbps to 1 kbps in dependence from the part of
Floods, attacker uses specially adapted console, called the day (Figure 13). Monitoring was measured with SNMP,
msfconsole, what is metasploit console. In the console is performed by RRDTOOL to graphical output and backup
executed script for performing attack, msf > use measuring again with SNMP and MRTG.
auxiliary/dos/tcp/synflood, next was configured parameters
as an IP address and TCP port number of the victim. On the The upper graph (Figure 13) shows higher output traffic
picture is shown the attackers console performing the TCP than incoming during the work hours. This event occurs
SYN Flood attack (Figure 13). because the DNS replay is much bigger then the query as was
explained earlier. Also during the work hours master server
gets more DNS traffic than the other one (Figure 13). On the
second graph are the peaks because the server runs also the
monitoring and graphing service for both.
Authorized licensed use limited to: Consortium - Saudi Arabia SDL. Downloaded on September 26,2020 at 21:45:58 UTC from IEEE Xplore. Restrictions apply.
Figure 16: TCP SYN Floods on the Master DNS
the outside of the LAN but as it possible to see on the advantages of these features on the specific example on the real
picture (Figure 16), server is processing at least queries which network environment where the DNS servers are bothered with
were not shaped. Incoming traffic is around 38 kBps, some attacks every day.
packets were dropped and around 12 kBps was sent out. From
outside of the network was response same as on the Figure 14.
However, from the inside of the network the queries were
served. REFERENCES
> server 158.193.227.150 [1] P. Mockapetris, “Domain Names – Implementation and specification”,
IETF: RFC 1035, 1987
Default Server: [158.193.227.150]
Address: 158.193.227.150 [2] Yu Xi, Ch. Xiaochen, X. Fangqin, “Recovering and Protecting against
> kt.uniza.sk DNS Cache Poisoning Attacks” IEEE, pp. 120-12, 2011 [2011
International Conference of Information Technology, Computer
Server: [158.193.227.150]
Engineering and Management Sciences].
Address: 158.193.227.150
Name: kt.uniza.sk [3] “Address Allocation for Private Internets”, RFC 1918,
Address: 158.193.214.233 https://tools.ietf.org/html/rfc1918
Figure 17: Console output - DNS service allowed [4] “DNS Best Practices, Network Protections, and Attack Identification”,
http://www.cisco.com/c/en/us/about/security-center/dns-best-
practices.html
IX. CONCLUSION [5] “IPFW Freebsd Man Pages”,
https://www.freebsd.org/cgi/man.cgi?ipfw%288%29
There are many servers protected by firewalls, however
[6] Daian Daniel-Simon, Giura Dan-Horia, “Traffic shaping and traffic
rules in the firewalls are very strict or better say – static. We policing impacts on aggregate traffic behaviour in high speed
have showed how firewall can dynamically adjust the traffic to networks” IEEE, pp. 465-467, 2011 [6th IEE International Symposium
ensure at least some packets arrived when is the DNS service on Applied Computational Inteligence and Informatics].
under the attack. In the paper, we present the instructions for [7] Z. Jiang, I. Joe, “Efficient Bandwidth Utilization and Congestion
creation of the rules for traffic shaping and prioritizing. The Control Trough Network Traffic Analysis” IEEE, pp. 280-283.
purpose is to ensure connectivity for the objects of high [8] “Kali Linux”, https://www.kali.org/
demand. All presented methods were tested in real [9] Bo Hang, Ruimin Hu, “A Novel SYN Cookie Method for TCP Layer
environment and their advantage was proved. As was DDoS Attack” IEEE, pp. 445-448, 2009, International Conference on
mentioned above, traffic shaping and QoS were explained and Future BioMedical Engineering.
described many times earlier, however this paper show
Authorized licensed use limited to: Consortium - Saudi Arabia SDL. Downloaded on September 26,2020 at 21:45:58 UTC from IEEE Xplore. Restrictions apply.