Building a resilient, secure DNS infrastructure.

DNS is inherently insecure and exposed. F5 customers have been seeing a spate of DNS attacks and DNS denial of service lately, and I thought it would be a good idea to analyze a few of the common attack vectors, and ways F5s GTM, or LTM DNS Services helps mitigate these attacks, and protect your DNS infrastructure.

For many years we’ve commonly deployed GTM in delegated mode, where we create a CNAME for the GTM, and then redirect specific hostnames that require global load balancing to the GTM. But much more common today is the deployment called authoritative screening, where all DNS requests are passed through the GTM. This provides us much more control, scale and security of our DNS traffic.

 

 

 

Three of the most common DNS based attacks :

DNS cache poisoning

DNS cache poisoning occurs when rogue users spoofing or imitate DNS responses to poison DNS caches. This is often used as part of a phishing attacks.

F5 helps mitigate this issue by:

  • DNSSEC – Signing DNS responses, creating a chain of trust with the root DNS.
  • Locking down open recursive DNS servers (to only service your users subnets)
  • Limit who can perform zone transfers on your DNS BIND/Windows hosts (lock down to only GTM's and internal DNS servers)

 

DNS DDoS / request flooding

DNS request flooding is often instigated by sending malformed padded DNS requests, sometimes combined with traditional SYN flooding.

F5 helps mitigate this attack by:

  • DNS protocol enforcement – New in v11, DNS packet checking, dropping malformed or garbage requests.
  • DNS rate limiting.
  • DNS Express – High performance Authoritive slaving to shield DNS hosts and handle large transaction volumes.
  • IP Anycast
  • SYN cookies & connection reaping – TMOS feature, explained in detail here : http://support.f5.com/kb/en-us/solutions/public/7000/800/sol7847.html

 

DNS Amplification/reflection attack

This attack combines a DNS request for something that's going to be a large response, like a TXT or DNSSEC signed response, with IP spoofing. The attacker sends a DNS request to a compromised/open recursive DNS host, spoofing the request to look like it was made by your DNS server. Your DNS then suddenly receives all these large DNS responses it didn't make in an attempt to overwhelm it.

F5 helps mitigate this attack by:

  • DNS rate limiting
  • IP Anycast
  • DNS Express
  • Dropping uninitiated responses

In v11, F5 included a DNS parser in GTM & LTM DNS Service that enables us to inspect and act on any DNS attributes. These might be on certain computationally expensive record types, or on large DNS lengths. Some example rules that may be effective here:

 

when DNS_REQUEST {

                  if { ([DNS::rrtype] eq "TXT") } {

                      rateclass dns_rate_shape

                  }

                }

when DNS_RESPONSE {

                  if { ([DNS::len] value > 512) } {

                      rateclass dns_rate_shape

                  }

                }

When we combine these configurations with IP Geo-location and IP reputation, as well as F5’s ICSA certifications, services firewall and platform hardening, we end up with the capability to build out a resilient, robust and secure DNS infrastructure.

Related topics :

F5 DNSSEC

BIG-IP platform hardening

F5 ICSA platform certifications

Mitigating Denial of Service with BIG-IP

Published Oct 05, 2012
Version 1.0
No CommentsBe the first to comment