What is DNS poisoning (DNS spoofing)?

Through a DNS poisoning attack, a hacker replaces the address of a legitimate website with a fake one. Once achieved, that hacker can steal delicate knowledge, like passwords and numbers of an account. The hacker can also deny loading your site, which is spoofed.

What does DNS poisoning mean?

DNS poisoning, also called DNS spoofing, is a technique, which hackers use. It manipulates identified weak spots inside the domain name system (DNS). 

When it is made, a hacker can direct traffic from one genuine site to a fake version of it. And because of the way DNS works, the infection can spread further.

How is DNS spoofing performed?

When you want to visit a site, your server pulls up a response from the hacker. Thus, the forged data is stored. And this makes DNS cache poisoning accomplished. 

A hacker can achieve this by:

  • Binding the server. Hackers are capable of sending a lot of queries to a caching server. Afterward, they send thousands of fake responses. And at some point, they take control of the root domain and the whole site.
  • Server simulation. The hacker responds a lot quicker with the wrong answer when your DNS server submits a query for a translation. And this is happening long before the correct server can do so.
  • Exploiting open ports. Hackers can send to DNS resolver ports thousands of queries. They identify which port is open in time. The focus for future attacks will be only on this port. 

DNS poisoning attacks are happening because the system is not secure enough. Your devices are holding conversations with servers with the help of the user datagram protocol (UDP). The connection is provided fast and efficiently. The problem is that no security measures are built-in. Your device is not able to verify the server’s identity. And also, it doesn’t validate the information that comes back.

It is easy to perform fabrication in such an environment. Someone can own the server you are corresponding with. And the fact that proving your identity is not a must. That could lead you to receive forged data and probably never know about it.

DNS poisoning and DNSSEC

DNS does not contain encryption. That makes intercepting the traffic with spoofing an easy job. Furthermore, DNS servers do not verify the IP addresses to which they are redirecting the traffic. 

Here comes DNSSEC, which is a protocol created to add more ways and methods of verification and make your DNS more secure. This protocol is able to generate an individual cryptographic signature and store it together with your other DNS records, like A record, CNAME, etc. Then your DNS resolver uses this specific signature to validate a DNS response. So this way, it is guaranteeing that the record wasn’t falsified.

DNSSEC is a great service that can help you protect yourself from DNS poisoning.

Conclusion.

DNS poisoning is a serious problem, and it could be terrifying. Protecting and configuring a DNS server accurately is going to help you to avoid such things from happening.

DNS CAA record – everything you need to know

The DNS CAA record helps domain name owners to take control over SSL certificates. You can decide which CA is allowed to issue them and also what kind of type of certificate. 

The DNS CAA record was first described in 2013. From September 2017, Certificate Authorities are required to check it before issuing any certificate. So let’s explain a little bit more about it.

DNS CAA record explained

The short CAA stands for Certification Authority Authorization. The DNS CAA record is a Resource Record in DNS. With it, the owner of the domain name is capable of specifying which Certification Authorities (CAs) are allowed to issue a certificate for the domain. 

On the other hand, CAs are companies that are able to publish certificates for a domain, such as SSL, TLS, or another.

When domain owners want to improve their site’s security, they need to include and purchase a certificate.

Here comes the DNS CAA record. It provides better control of the issuing process. It also decreases the chance of mistakes in publishing the certificates of the domain. 

To view which exact part of the domain it applies to, you have to check inside the DNS CAA record. It could be implemented for the whole domain name or only for a subdomain.

A recommendation that should be well considered is to use the DNS CAA record with DNSSEC. When DNSSEC is enabled, you receive better security and higher trust from the side of the CA. 

What is the DNS CAA record structure?

When you want to create a new DNS CAA record, you will have to fill in some parameters. Make sure to do it correctly.   

Type: Here, you have the type of DNS record. In this case, it is CAA.

TTL: This is the TTL value for the CAA record. Since it won’t be changed so frequently, you can set it for a longer time. It could be 1800, 3200, 7200. 

Host: This is the name of the host. Here you place the domain name or the subdomain name for which the CAA records apply.

Flag: 0 or 128. 0 will tell the CA it is not critical to follow the rules. 128 will present critical, so the CA needs to match the rules.

Propery type: issue/issuewild/iodef

Issue – Allows the CA to issue a certificate.

Issuewild – Allows the CA to issue a wildcard certificate.

Iodef (incident object description exchange format) – This shows the CA where it can send a report. Such as for a questionable certificate that doesn’t fulfill the rules.

Value: Value which the chosen CA provides.

Why is it beneficial to use it?

When you use the CAA DNS records, you are taking control of Certificate Authorities, which are allowed to issue certificates for your domain. That happens without required cooperation from the certificate authority. Moreover, when globally using the CAA, it will enable certificate authorities to reach a domain owner. For cases, which are concerning a failed certificate issuance request. Based on that, website and domain owners will identify requests for false or fraudulent certificates. 

Also, we must mention that using DNS CAA records doesn’t limit you to only one specific certificate authority. When you are using many DNS CAA records, it will allow numerous certificate authorities to issue certificates for each domain you like.