DNS and Email Security
DNS is a widely used phonebook system on the Internet. It is used simply to query the IP address associated with a humanly readable and memorizable name. But it is a lot more than that as this article explains. If you have not yet read our previous article do so here: DNS and its Security Implications. In this blog we will talk about DNS from an Email Security perspective.
Examining email domain
An email is something we are all familiar with, with the most notable part being the @ character. The part after the @ is the domain name and we IT/Security professionals can easily examine that domain:
$ dig -t mx gmail.com
;; QUESTION SECTION:
;gmail.com. IN MX
;; ANSWER SECTION:
gmail.com. 3454 IN MX 20 alt2.gmail-smtp-in.l.google.com.
gmail.com. 3454 IN MX 5 gmail-smtp-in.l.google.com.
gmail.com. 3454 IN MX 40 alt4.gmail-smtp-in.l.google.com.
gmail.com. 3454 IN MX 10 alt1.gmail-smtp-in.l.google.com.
gmail.com. 3454 IN MX 30 alt3.gmail-smtp-in.l.google.com.
;; Query time: 35 msec
;; SERVER: 127.0.0.53#53(127.0.0.53)
;; WHEN: Mon Sep 14 17:33:47 IST 2020
;; MSG SIZE rcvd: 161
Here we can see that the answer section contains the domain names of the mail servers or MTA hosts that can be used for sending emails to a Gmail mail address.
The numbers 20, 5, 40, etc you see against the answers are what are called weights or priority. The lower the number, the higher the priority. Most common mail servers don’t contain as many answer lines as you see above.
These are called MX records as they contain mail exchanger information. The good news is most emails today are sent along encrypted channels although the emails themselves are not encrypted or protected.
What this means is that the email body is not something that the email server cannot understand. But those that use GnuPG and S/MIME have undecipherable emails end to end. Now just making the emails travel across a secret tunnel is not the end of email-related attacks.
But we started off talking about DNS, didn’t we? This article however focuses purely on the email-related aspects of using DNS-based security systems. What are they?
DNS and email security
First of all, email, as you can see from above, uses DNS at two levels. One is for the email address itself. Then at the next level, for the MX record. Moreover, there are some more places where DNS comes into play. The IP address block of a mail server is often made public in what are known as SPF records, i.e. Sender Policy Framework, otherwise known as DNS txt records.
This is one method to ensure emails are not fraudulently sent to unauthorized mail receivers. But that is not quite enough. Over time we found many more problems and SPF alone was unable to fix them all.
DKIM and DMARC come to mind. Domain Keys Identified Mail is DKIM. DMARC is Domain Message authentication reporting. These two have a domain in them, so obviously they are DNS measures. Although the Internet works at a human level in domain names, internally it is worthless, only IP addresses are used to send packets. And all traffic like voice, emails, videos travel as IP packets between IP addresses.
So how does DNS help?
It does this way: All emails travel between two MTA machines or email servers and each mail server has a different domain name. The domain name of an email address is different as we saw at the beginning.
Using cryptographic primitives like secret keys and public/private keys, we sign emails and DNS records to make sure others can verify us as the originator of the signature. This also protects against the tampering of data, and protects against fake originated emails.
There is also DNSSEC and DANE – DNS Authenticated Named Entities. At least the popular email systems in the world support most of the measures I mentioned above. Spam filtering and phishing protection are additional measures employed by email security folks.
The DNS system as a whole works by using what is known as authoritative and secondary name resolvers and there are some 13 or so root name resolvers which are huge complex busy systems. There are registrars that allot DNS names and there are many records associated with each domain name. There are aliases and subdomains for each domain.
In a trusted environment both email and DNS are secure. But in today’s Internet, where billions and trillions of dollars are exchanged now, the security of email and DNS are both relevant and crucial, and as we saw in this article, they both play with each other to a great extent.
In a future blog, we shall explore the specifics of the above measures to understand more about how Internet security works with popularly used commonplace software we often take for granted. We shall cover more such as time goes on.
Did you enjoy this content? Follow our linkedin page!