"This isn’t your father’s DNS."
This phrase is used by Dave Beck from Men and Mice Training, who is providing us with a free (presentation only) chapter of Men and Mice's DNS and Bind course to share with you. If you are looking for a great local course with hands-on exercises, check out their next one in Toronto on September 9th and you can register for it on their website.
The DNS was created in the early 80’s and became an (original) IETF standard. Back then FORTRAN was still in use and Usenet and BBSs were still the major way most people got online. This massively distributed, hierarchical database on which we all rely is a highly resilient and functional infrastructure that grows and evolves over time to meet the needs of day. One of the newer additions is DNS cookies.
To quote the IETF RFC-7873 documentation, “DNS Cookies are a lightweight DNS transaction security mechanism that provides limited protection to DNS servers and clients against a variety of increasingly common denial-of-service and amplification/forgery or cache poisoning attacks by off-path attackers."
To dispel one potential worry right off the bat, DNS cookies are only returned to the IP address they were received from and they are not used for tracking purposes. Cookies are used to provide cybersecurity protection for:
1) Queriers (stub or smart resolvers) are protected from bogus answers via cache poisoning
2) Domain name owners who might be getting spoofed. A bogus answer injures the domain name holder because their servers aren’t being reached.
3) Innocent victims with a spoofed IP addresses (i.e. reflection & amplification attacks) that are used in DDoS attacks and they are unaware of it.
4) DNS servers as the target or from being misused in an amplification attack.
DNS cookies are a mitigation solution and do not solve all problems, but are a lightweight solution that does a heck of a lot without much configuration or additional work.
Check out the free three-part course in our cybersecurity resources section of our website.