IPv6 Security Thinking: Risk Analysis of Recursive DNS in IPv6 Networks

DNS (Domain Name System) is an important core infrastructure supporting the operation of the Internet, so the DNS system has become the main target of Internet attacks. DNS security is of great significance. Once a major DNS attack occurs, it may affect the normal operation of a large range of the Internet and cause huge economic losses to society.

As China is rapidly implementing its action plan to promote large-scale deployment of IPv6, the fixed and 4G LTE networks of China's three major telecom operators have deployed IPv6 protocols on a large scale. As a number of TOP ICP websites and apps support IPv6 protocols, more than 500 million users in China have obtained IPv6 addresses and started using IPv6 network services. China's Internet is evolving towards the IPv6 era. At this stage, we must attach great importance to DNS security issues.

[[262318]]

1. How recursive DNS works

The DNS system can be divided into several categories: root DNS server, domain name DNS server (TLD), authoritative DNS server, recursive DNS server, etc.

When users access the Internet, the first step is to apply for domain name resolution from the local recursive DNS. The recursive DNS query caches or recurses to the upper-level DNS, obtains the domain name resolution result and returns it to the user, and then the user's browser can access the target website and web page. From the perspective of the Internet DNS architecture, recursive DNS is a comprehensive system that includes multiple levels. Users query low-level recursive DNS, low-level queries high-level recursive DNS, high-level recursive DNS queries root DNS, domain name DNS, and authoritative DNS servers, and so on. The IP address of the domain name resolved by the authoritative DNS is returned level by level and finally sent to the user's host.

Recursive DNS will record the user's DNS query records in the log, including the source IP address of the user's host, the target website, the query time, the returned DNS query results (the IP address of the target website), etc.

2. Differences and risks of recursive DNS operation mechanisms in IPv6 and IPv4 environments

In an IPv6 network environment, the DNS operation mechanism is somewhat different from that in an IPv4 network environment.

Due to the shortage of IPv4 address resources, NAT devices are usually deployed at the egress of IPv4 networks. When an intranet host applies to the recursive DNS for domain name resolution, the recursive DNS receives the IP address of the NAT device and cannot obtain the IP address of the user host.

The IPv6 protocol provides a massive amount of IP address resources, and all user hosts/network terminals are configured with real IPv6 addresses. The IPv6 host (or network terminal) uses the real IPv6 address to initiate a domain name resolution request to the recursive DNS. The recursive DNS server returns the domain name resolution result to the user host and records the user's real IPv6 address in the log.

Internet IP address scanning and detection is a common attack method used by hackers. Since the IPv6 protocol is designed with a large number of addresses, the original IPv4 address segment scanning detection method is basically ineffective on the IPv6 network. Therefore, if hackers need to obtain the user's real IPv6 address, they need to find a system with a large number of users' real IPv6 address records, and then hack into and crack the system to obtain the user's IP address data. The recursive DNS server can meet the hacker's detection needs. Whether it is an intranet recursive DNS system or a public recursive DNS system, the DNS log file records the real IPv6 addresses and domain name resolution records of a large number of users.

3. Stealing in IPv6 network environment will become an important attack method for recursive DNS

Attacks on the recursive DNS system mainly include destruction, poisoning, and theft.

• In the IPv4 era, attacks on DNS are mainly destructive, including DDOS attacks, with the goal of causing DNS service to stop. Such attacks are quickly discovered and repaired within 12-24 hours.
• DNS cache poisoning means that the recursive DNS requests a query from the superior DNS. The attacker impersonates the superior DNS server and sends a forged response packet to the recursive DNS server to complete the response first, and pollutes the recursive DNS cache with false data, so that the recursive DNS returns an incorrect IP resolution result to the user host, redirecting the user's access to a dangerous website.
• In the IPv6 era, it has become difficult to obtain the real IPv6 address of users, so stealing will become an important way of recursive DNS attacks. After hacking into DNS, hackers do not interfere with the normal operation of DNS, but instead stay dormant for a long time and continue to steal the log data of DNS servers. From the log data, they can instantly obtain the real IPv6 addresses of massive users and use them as targets for network detection.

If hackers break into and break into the recursive DNS servers of campus networks, government networks, and corporate networks, as well as the recursive DNS systems of public DNS service providers, they can obtain DNS logs and capture a large number of fresh and valid user IPv6 addresses for accurate IPv6 address scanning and detection. Latent theft is silent and long-term, and the risks it brings are far greater than DDOS attacks and DNS cache poisoning.

Currently, the security protection of DNS servers in many campus networks and enterprise networks is weak. With the IPv6 upgrade of user networks and DNS systems, they may become the main targets of hackers.

4. Risks of arbitrary configuration of IPv6 networks and use of public DNS

There are many articles online recommending foreign public DNS.

include:

• GooglePublic DNS (IPv4: 8.8.8.8; IPv6: 2001:4860:4860::8888);
• IBMQuad9 DNS (IPv4: 9.9.9.9; IPv6: 2620:fe::fe);
• CloudflareDNS (IPv4: 1.1.1.1; IPv6: 2606:4700:4700::1111);
• CiscoOpenDNS (IPv4: 208.67.222.222; IPv6: 2620:0:ccc::2);
• HurricaneElectric Public DNS (IPv4:74.82.42.42;IPv6:2001:470:20::2)

As the domestic network is affected by interconnection and international export congestion, the access speed of some websites is slow. Under the influence of some network technology articles introducing global public DNS, many users set domestic and foreign public DNS as the preferred DNS on their computers in order to achieve network acceleration. Some companies do not have an intranet DNS server. Network management technicians often set DNS to the IP address of the public DNS on the router, and intranet users directly use the domain name resolution service of the public DNS. This situation is not a big problem in the IPv4 network environment, because the hosts are configured with intranet IPs behind the NAT device and have no public IP addresses. However, in the IPv6 network, all hosts will be configured with real IPv6 Public IP addresses. Once the IP address is exposed, it can be accurately scanned.

Global public DNS systems such as Google, IBM, and Cloudflare provide free DNS resolution services to Internet users around the world. On the positive side, this is a form of public welfare and charity, but from the perspective of IPv6 network security, it is actually a global host IP address collector. If the user host DNS settings are directly written to the IP addresses of these public DNSs, or the DNS settings of small business export routers are directly written to the IP addresses of these public DNSs, then when the user host initiates a DNS resolution request, these public DNSs will directly obtain the real IPv6 address of the user host (or the enterprise intranet host). Assuming that the log database of a public DNS system is directly connected and shared with the IP address scanning and detection system of the cyber army, the situation is simply unimaginable.

5. Pay attention to IPv6 network security in the early stage of large-scale deployment of IPv6 in China

The two offices’ document “Action Plan for Promoting Large-Scale Deployment of IPv6” clearly proposed the principle of “two simultaneous efforts and three synchronizations”: “development and security go hand in hand, and the planning, construction, and operation of network security systems are promoted simultaneously.”

China's large-scale deployment of IPv6 has just entered the development stage. More than 500 million mobile phones have been connected to the Internet using IPv6. A number of universities, governments, and enterprises are upgrading their networks to support the IPv6 protocol. At this stage, it is the best time to pay attention to IPv6 network security issues, and we cannot wait until an incident occurs before trying to fix the problem. It is foreseeable that in the near future, IPv6 DNS security will become one of the most important issues in IPv6 network security. We must attach great importance to it and do a good job in network security protection in advance.