How to prevent DNS Spoofing in AWS.

DNS spoofing, or DNS cache poisoning, is a type of phishing and cyber attack where false Domain Name System (DNS) information is introduced into a DNS resolver's cache. This causes DNS queries to return an incorrect response, which commonly redirects users from a legitimate website to a malicious website designed to steal sensitive information or install malware.

There are a number of reasons why DNS spoofing is possible, but the principle problem is DNS was built in the 1980s when the Internet was much smaller and security was not a primary concern. As such, there is no in-built way for DNS resolvers to verify the validity of the data they store, and incorrect DNS information can remain until the time to live (TTL) expires or is manually updated.

What is the Domain Name System (DNS)?

The Domain Name System (DNS) is a hierarchical and decentralized naming system for computers, services, and other resources that connect to the Internet. In short, it assigns and maps human-readable domains (such as mac.com) to their underlying IP addresses that machines use to communicate. DNS also defines the DNS protocol, which is a specification of data structures and data exchanges used in the DNS.

In practice, the DNS delegates this responsibility to the authoritative nameservers of each domain, creating a distributed, fault-tolerant system that isn't centrally hosted.

The Internet as you know it depends on the DNS functioning correctly. Every web page, email sent, and picture received relies on DNS to translate its human-friendly domain name to an IP address used by servers, routers, and other networked devices.

DNS records are also used to configure email security settings. See our full guide on email security for more information.
What Do DNS Resolvers Do?

When you type in a domain, such as example.com, your web browser will use your operating systems stub resolver to translate the site's domain name into an IP address. If the stub resolver doesn't know the translation, it will relay the request for DNS data to more complicated recursive resolvers, which are often operated by Internet service providers (ISPs), governments, and organizations such as Google, OpenDNS, and Quad9.

Once the recursive resolver has your request, it then sends its own DNS requests to multiple authoritative name servers until it can find a definitive answer.

Domain name servers are the Internet's equivalent to a phone book, maintaining a directory of domain names and translating them to IP addresses, just as a regular phone book translates names to phone numbers.

Some organizations even run their own, but most will outsource this function to a third-party like a registrar, Internet service provider or web hosting company.

How Does DNS Caching Work?

To improve performance, the stub resolver and recursive resolvers will cache (remember) the domain name to IP address translation so that next time you ask to go the website it doesn't need to query the nameservers for a certain amount of time known as the time to live (TTL). When the TTL expires, the process is repeated.

In general, this is a good thing as it saves time and speeds up the Internet. However, when successful DNS attacks change DNS settings and provide a DNS resolver with an incorrect IP address the traffic can go to the wrong place until the TTL expires or the cached information is manually corrected.

When a resolver receives false information, it is known as a DNS cache poisoning attack and the resolver is said to have a poisoned DNS cache.

In this type of attack, the resolver may return an incorrect IP address diverting traffic from the real website to a fake website.
How Do Attackers Poison DNS Caches?

DNS poisoning or DNS spoofing attacks work by impersonating DNS nameservers, making a request to a DNS resolver, and then forging the reply when the DNS resolver queries a nameserver.

This is possible because DNS uses UDP, an unencrypted protocol, which makes it easy to intercept traffic with spoofing and DNS servers do not validate the IP addresses that they are directing traffic to.

How Does DNS Poisoning Work?

1. Man-in-the-Middle (MTM) attacks

With man-in-the-middle (MITM) duping, the attacker gets between the web browser you are using and the DNS server. They then use a tool to alter the information in the cache on your device, as well as the information on the DNS server. You then get redirected to a malicious site.

1. DNS server hijack

When hijacking a DNS server, the attacker makes adjustments to the server, causing it to direct users to a malicious site. The fake DNS information causes every user who enters that website’s address to get sent to the fraudulent site.

1. DNS cache poisoning via spam

When an attacker uses spam for DNS spoofing attacks, they put the code used for the cache poisoning inside an email. The email will often try to scare users into clicking on the link that ends up launching the DNS poisoning attack.
What Are The Risks Of DNS Poisoning?

1. Data theft

An attacker can have the user redirected to a phishing website that can collect the user’s private information. When the user enters it, it gets sent to the attacker, who can then use it or sell it to another criminal.

1. Malware infection

A cyber criminal may have the user sent to a website that infects their computer with malware. This can be done through drive-by downloads, which automatically put the malware on the user’s system or through a malicious link on the site that installs malware, such as a Trojan virus or a botnet.

1. Halted security updates

An attacker can spoof an internet security provider’s site. This way, when the computer attempts to visit the site to update its security, it will be sent to the wrong one. As a result, it does not get the security update it needs, leaving it exposed to attacks.

1. Censorship

Censorship can be executed via manipulation of the DNS as well. For instance, in China, the government changes the DNS to make sure only approved websites can be viewed within China.

How To Prevent DNS Poisoning
For Website Owners And DNS Service Providers

Website owners and DNS service providers have the responsibility of defending users from DNS attacks. There are several ways to protect your users.

1. DNS spoofing detection tools

These tools scan the DNS data being sent to make sure it is accurate before allowing it to go to the user.

1. Domain name system security extensions

A Domain Name System Security Extension (DNSSEC) appends a label to a DNS that verifies that it is authentic.

1. End-to-End encryption

With end-to-end encryption, the data that gets sent out is encrypted, so cyber criminals cannot access the DNS data to copy it and redirect users to the wrong sites.
For Endpoint Users

Users can be an easy target for DNS spoofing. Here are ways to prevent becoming a victim.

1. Never click a link you do not recognize

It is better to manually enter a Uniform Resource Locator (URL) into your web browser than click on a link that may look suspicious. Clicking the wrong link can lead to a DNS attack.

1. Regularly scan your computer for malware

Spoofed websites can be used by attackers to deliver malware to your computer. Regularly scanning your computer for infections can get rid of malware you downloaded accidentally as a result of DNS poisoning.

1. Flush your DNS cache to solve poisoning

Flushing your DNS cache gets rid of false information. All major operating systems come with cache-flushing functions. Flushing the DNS cache gives your device a fresh start, ensuring that any DNS information that gets processed will correlate with the correct site.

1. Use a Virtual Private Network (VPN)

With a virtual private network (VPN), all data going to and from your computer is encrypted. You can connect to a private DNS server that only connects using encryption. Cyber criminals do not have the encryption code so they cannot decipher the DNS data that gets sent back and forth.

AWS Firewall Manager.

AWS Firewall Manager simplifies your administration and maintenance tasks across multiple accounts and resources for a variety of protections, including AWS WAF, AWS Shield Advanced, Amazon VPC security groups and network ACLs, AWS Network Firewall, and Amazon Route 53 Resolver DNS Firewall. With Firewall Manager, you set up your protections just once and the service automatically applies them across your accounts and resources, even as you add new accounts and resources.

Firewall Manager provides these benefits:

Helps to protect resources across accounts

Helps to protect all resources of a particular type, such as all Amazon CloudFront distributions

Helps to protect all resources with specific tags

Automatically adds protection to resources that are added to your account

Allows you to subscribe all member accounts in an AWS Organizations organization to AWS Shield Advanced, and automatically subscribes new in-scope accounts that join the organization

Allows you to apply security group rules to all member accounts or specific subsets of accounts in an AWS Organizations organization, and automatically applies the rules to new in-scope accounts that join the organization

Lets you use your own rules, or purchase managed rules from AWS Marketplace

Firewall Manager is particularly useful when you want to protect your entire organization rather than a small number of specific accounts and resources, or if you frequently add new resources that you want to protect. Firewall Manager also provides centralized monitoring of DDoS attacks across your organization.

Thank you very much.