Sonicwall Signatures

Category: DNS

DNS Category Description

This SonicWALL IPS signature category consists of a group of signatures that can detect and prevent traffic related to DNS attacks. DNS or Domain Name System servers operate by serving clients with information about a particular domain or subdomain, and are a critical part of internet and e-mail communication. For example, web browsers like Firefox or Internet Explorer require a url like "http://www.sonicwall.com". Once entered, the client system sends a dns request to a dns server. The server maps the domain name to an ip address (a number assigned and used much like a phone number) that the browsers can use to request web pages. DNS servers also point to other servers, for example mail servers or lower level DNS servers. SMTP servers, or the servers that deliver email, rely heavily on DNS to deliver email to the proper destination. However, because DNS servers provide a large amount of information about networks, and because they are central to processing inbound and outbound network traffic, they are an attractive point of attack for hackers.

DNS attacks come in four main varieties. Data mining attacks simply seek information for future attacks through zone transfers. Zone transfers usually are requested by remote DNS servers attempting to serve their own user's request for an IP address in the local domain. These transfers hand the remote DNS server a database of IP address maps, timestamps, and occasionally other information like the version numbers of software running on local servers. Attackers often pretend to be remote servers requesting a zone transfer to gather information about a network and locate vulnerabilities that they can exploit to break into the network in the future.

DNS spoofing attacks take advantage of DNS servers' routing function to misroute traffic. One way attackers can achieve this is through cache poisoning. Cache poisoning exploits the fact that DNS servers often perform zone transfers to cache the name-to-IP maps locally so that they can route traffic more quickly. An attacker can trick a DNS server into accepting a corrupted zone transfer that maps domain names to different IP addresses, rerouting users to unexpected, often malicious content while denying them access to the sites that they have requested.

Denial of service attacks target DNS servers to all but shut down inbound and outbound traffic on a specific domain. Denial of service attacks can take many forms. Attackers can, for example, try to tie up all available connections on a DNS server by making a large number of TCP requests that require the server to maintain open connections. One way is to make a large number of zone transfer requests. Attackers can also deny service to the back end of a server by "locking" the database so that it cannot be updated by administrators. Zone transfers can also be used for this type of attack, since a server performing a zone transfer usually keeps an administrator from changing the content of the database while it is being transferred. While these two types of attacks can be a nuisance, because they rely mostly on TCP connections, and most traffic that DNS servers serve are over UDP, they are not crippling.

Finally, buffer overfly attacks exploit vulnerabilities in the software that usually runs on DNS servers. To handle requests, a vast majority of DNS servers run BIND software, or Berkeley Internet Name Domain software, which has a large number of known vulnerabilities. Attackers can send unpatched servers carefully malformed requests that cause the server to execute arbitrary code, giving attackers control over the machine, or cause it to crash. In the first instance, attackers can use the compromised server for data mining, for rerouting inbound and outbound traffic by changing entries in the server, or for targeting attacks at computers inside the network. In the second instance, a crashed DNS server can shut down most inbound and outbound traffic on a domain since end users will not be served the proper IP addresses for content or mail servers when they request them. Unless users have memorized the correct IP addresses, online communication will be largely impossible.

SonicWALL DNS signatures are classified from low- to high-priority. Because many of the lower priority signatures identify traffic that is most often legitimate but occasionally abused by attackers, they are set to detect so that administrators can identify suspicious activity if it arises. The medium and high priority signatures, when enabled for prevention, can keep malicious DNS traffic from reaching the servers at all. However, it should be noted that patches and updates are available for DNS server that support new security extensions for DNS (DNSSEC). Administrators should install these updates and implement DNSSEC in conjunction to using SonicWALL signatures to ensure maximum security for their DNS servers.