How prevalent is DNS spoofing? Could a repeat of the Dyn/Mirai DDoS attack have the same results?
Two separate groups of academics have recently released research papers based on research into the Domain Name System (DNS). One has found that the overwhelming majority of popular site operators haven’t learned from the 2016 Dyn/Mirai incident/attack and set up a backup DNS server, and the other has shown that the rate of DNS spoofing, though still very small, has more than doubled in less than seven years.
Carnegie Mellon University PhD student Aqsa Kashaf and her advisors Dr. Vyas Sekar and Dr. Yuvraj Agarwal have analyzed third party service dependencies in modern web services, with a special focus on DNS, CDN (Content Delivery Network), and SSL certificate revocation checking by CA (Certificate Authority).
Their research was meant to determine if incidents like the 2016 Dyn DDoS attack, the 2016 GlobalSign certificate revocation error and the 2019 Amazon Route 53 DDoS attack would lead to similar results (i.e., a great number of inaccessible sites) in 2020.
They compared the situation with the 100,000 most popular websites in 2020 with that from 2016, and found that 89.2% of the analyzed websites use a third-party DNS provider (instead of managing their own DNS server) and that 84.8% of the websites don’t have a provisioned backup DNS server (which would be used in case their primary DNS provider is temporarily incapacitated).
“6% of the top-100K websites that were critically dependent in 2016, have moved to a private DNS in 2020. On the other hand, 10.7% of the websites which used a private DNS in 2016, have moved to a single third party DNS provider. Between these snapshots, redundancy has remained roughly similar. Overall, critical dependency has increased by 4.7% in 2020. More popular websites, however, have decreased their critical dependency,” they noted.
They also found that the DNS ecosystem is heavily concentrated. One DNS provider (CloudFlare) critically serves 23% of the top 100K most popular websites, and three of the top 3 DNS providers (CloudFlare, AWS, GoDaddy) critically serve 38% of the top 100K websites.
One interesting finding is that the overwhelming majority of CloudFlare consumers haven’t provisioned backup DNS servers.
“The near-complete lack of redundancy in CloudFlare’s consumers is because it requires that DNS traffic is routed through the CloudFlare network to protect against DDoS and other attacks. This approach does not allow domains to register a secondary DNS provider,” they explained.
They also found a higher degree of redundancy in the consumers of Dyn, NS1, UltraDNS, and DNSMadeEasy, which may be explained by the fact that these providers encourage the use of secondary DNS provider by giving specific guidelines, and the fact that Dyn and NS1 have previously been victims of large-scale attacks.
Another interesting revelation is the inter-service dependencies (CA to DNS or CDN to DNS).
“72% of the websites are critically dependent on 3 DNS providers when we consider direct CA to DNS dependency as compared to 40% when we just account for website to DNS dependency,” the researchers pointed out. Major CDN providers, on the other hand, use private DNS.
Finally, the researchers have also analyzed third-party DNS dependencies in the top 200 US hospitals and 23 smart home companies, and found that critical dependency is also prevalent in those segments.
PhD Candidate Lan Wei and her advisor Dr. John Heidemann at University of Southern California / Information Sciences Institute have studied more than six years of public data about root DNS servers, and found that DNS spoofing occurs globally.
“DNS spoofing is when a third-party responds to a DNS query, allowing them to see and modify the reply. DNS spoofing can be accomplished by proxying, intercepting and mod- ifying traffic (proxying); DNS injection, where responses are returned more quickly than the official servers; or by modifying configurations in end hosts,” they explained.
Depending on the third party that performs it, it can be performed for benign or malicious reasons and can, therefore, be a threat to user’s privacy and security.
“Incorrect DNS responses from third parties have been used for ISPs to inject advertising; by governments to control Internet traffic and enforce government policies about speech or intellectual property; to launch person-in-the-middle attacks by malware; and by apparent nation-state-level actors to hijack content or for espionage.”
Through their research they discovered that DNS spoofing is still rare (occurring only in about 1.7% of observations) but has been increasing during the observed period, and that proxying is the most common DNS spoofing mechanism.
Another interesting finding: there are “overt spoofers” and “covert delayers” – the latter don’t alter the DNS replies, just delay their delivery. As the delays are considerable, it is likely that they are processing the DNS traffic differently, but the reason for this is unknown.
Finally, the researchers noted that DNSSEC can protect against some aspects of DNS spoofing, but it’s still not widely used “because of challenges integrating DNSSEC with DNS-based CDN redirection.”
In early 2019, the Corporation for Assigned Names and Numbers (ICANN) urged domain owners and DNS services to implement DNSSEC as soon as possible.