DNS is one of the primary technologies enabling the Internet – translating the names people type into a browser into an IP address so the requested service can be found on the internet. It is one of the key elements in the network that delivers content and applications to the user. If DNS goes down, most web applications will fail to function properly so it is critical to have a strong, secure and scalable DNS infrastructure.
A bunch of recent DNS outages show that while protecting the application from the typical SQLi, XSS and other OWASP Top 10 related risks is important, if DNS is not answering, those application hacks do not really matter since no one can get to the site anyway.
This month, 3 Dutch web hosting companies had their name servers altered by attackers. They, according to articles, changed the various company's name servers to malicious servers hosted by the crooks. They apparently managed to break into the national domain registrar, SIDN, to make the malicious change along with setting the Time to Live value to 24 hours. This meant that any ISP that cached the bad information would continue to deliver the wrong address for the next day. Among others, a large Dutch electronic retailer had to take down a bunch of servers that were delivering malware due to the breach but thousands of domains were affected.
Also in June, DNSimple detected a DNS Amplification Attack on their network. This is where an attacker attempts to use additional servers to 'amplify' the attack - small queries that turn into huge responses. Instead of allowing the bounce, DNSimple tried to absorb the attack by blocking some IP addresses but ultimately at some point, all the name servers were no longer responding. All hands to respond. In their incident report, they noted that their current DNS server implementation allowed ANY queries on UDP to pass through and attempted to respond to them, albeit with the TC (truncation) bit set. In addition, the overhead created by their ALIAS resolution system was also a factor, especially with ALIAS records pointing to other records within DNSimple. With some adjustments they hope to mitigate this from happening again.
We rely on DNS for almost every interaction we have with web applications. It helps us find our favorite e-tailer, social network, travel, news, gaming or entertainment site along with potentially finding our work related resources when we are mobile. For organizations, it helps direct and bring people to your content. Without it, our letter managed mind would have to start remembering a bunch of numbers. Imagine how much you'd use the internet if you had to remember dozens of number combinations to do anything. I bet the growth, the internet of everything, would come to a screeching halt.