Cyber Attack | Data Breach Open Source DNS Software plans(1)

Published on January 30th, 2019 📆 | 6659 Views ⚑


DNS DDoS Attack Protections to be Forcefully Enabled for Non-Compliant Sites

Multiple DNS software and service providers will update their DNS software to speed up DNS traffic and fight against DDoS attacks by stopping the implementation of DNS resolver workarounds still used by numerous DNS authoritative systems.

The change will be added by major resolver vendors (i.e., ISC, CZ NIC, NLNET Labs, PowerDNS) to their open source DNS resolvers, an update that will directly affect all authoritative servers that "do not comply either with the original DNS standard from 1987 (RFC1035) or the newer EDNS standards from 1999 (RFC2671 and RFC6891)."

According to the DNS Flag Day GitHub page:

The current DNS is unnecessarily slow and suffers from inability to deploy new features. To remediate these problems, vendors of DNS software and also big public DNS providers are going to remove certain workarounds on February 1st, 2019. This change affects only sites which operate software which is not following published standards.

At the moment, CZ.NIC, Cloudflare, NLnet Labs, CleanBrowsing, ISC, PowerDNS, Facebook, Cisco, Google, and Quad9 are the DNS software and service providers backing this initiative.

As suggested in the beginning, besides the obvious uptick in speed by lowering DNS traffic latency and making it easier to add new DNS protocol features, the most important consequence of these upcoming changes in DNS systems is a newfound capability of DNS providers to fight back against and weaken DDoS that abuse the DNS protocol.


Moreover, according to the Internet Systems Consortium (ISC) blog:

These workarounds excessively complicate DNS software and are now also negatively impacting the DNS as a whole. The most obvious problems caused by these workarounds are slower responses to DNS queries and the difficulty of deploying new DNS protocol features. Some of these new features (e.g. DNS Cookies) would help reduce DDoS attacks based on DNS protocol abuse.

Open Source DNS Software plans
Open Source DNS Software plans

Domain holders are advised to check if their websites are ready for the February 1st change seeing that "sites hosted on incompatible authoritative servers may become unreachable through updated resolvers."

The website provides a diagnostic tool which domain holders can use to check for DNS issues and receive advice on what steps they have to take to avoid being impacted.

DNS changes to help reduce DNS-based DDoS attacks 

Although the ISC or the DNS Flag Day page do not directly name what type of DNS-abusing DDoS attacks could be reduced by these changes in DNS resolver software starting, DNS flood and DNS amplification attacks are most probably the main culprits, although cache poisoning and fast flux DNS attacks, among others, may also very well be affected by future changes in DNS resolver software.

In the first case, according to Cloudfare, a domain's DNS servers are flooded with DNS requests to disrupt its DNS resolution services, usually used by attackers with access to large scale IoT botnets to target major providers and thus disrupting the highest possible number of targets.

DNS amplification attacks, on the other hand, use another weakness in DNS servers which allows attackers to generate huge amounts of traffic with the help of poorly configured open DNS resolvers which are instructed to send their responses to the target of the attack.

Owners of huge botnets can successfully use this type of attack to both remove the targeted machine from the Internet altogether by causing a denial-of-service state and hide their true identity.

The ISC blog post ends with this, as a conclusion of the changes soon to be implemented in DNS resolvers:

"Our goal is a reliable and properly functioning DNS that cannot be easily attacked."

Download WordPress Themes
Free Download WordPress Themes
Download WordPress Themes
Download Nulled WordPress Themes
free download udemy course

Tagged with:

Leave a Reply ✍