DNS attacks: a danger that should not be overlooked

Michael Kaczmarek of Neustar Security Solutions explains why DNS attacks should not be ignored and how to protect yourself against them

The Domain Name System (DNS) began alongside the Internet, connecting users to online assets with easy-to-remember domain names, rather than IP addresses. DNS as we know it was invented in 1983, making wide use of the system outside of the academic community. As the internet grew, DNS also grew, becoming essential in a world where online assets could be diversified across various platforms or locations to better serve their audience.

DNS allows users to go beyond the simple result of a query, to get the best result, the fastest response, and more. When properly implemented, DNS can become a robust tool for businesses, especially as the world is online.

However, DNS is designed in such a way that it is easy to take for granted the “it works” functionality of the system – and organizations increasingly do so at their own risk. Attacks against the DNS are carried out every day. While these attacks may not take much of the internet offline, they remain extremely costly, especially with the push for digital transformation due to the COVID-19 pandemic. According to the International Data Corporation (IDC), the average cost to an organization following a DNS attack in 2020 was £ 665,000, mostly due to application downtime.

Tunneling and diversion

Imagine receiving a panicked call from one of your system administrators, telling you that suddenly your site has no visitors. You dig deeper and discover that the name server information for your domain name has changed. Your domain has been hacked. One of the deepest and most damaging attacks is DNS or domain hijacking, as it is possible that by the time it is discovered, your customers have already interacted with the infected site. The time window can be exploited by attackers to hijack login credentials, site data, resources, etc.

DNS tunneling may not be as captivating as other types of cyberattacks, but it is still a real threat, with a series of potentially serious consequences. DNS attacks are on the rise, in part because DNS tunneling is among the most “accessible” threat vectors. Easy-to-use tunneling toolkits are widely available on the internet, along with how-to videos on YouTube. This means that even unsuspecting hackers can get what they need to break into an otherwise secure domain.

But it’s not just amateur hackers who use the technique. The larger and more sophisticated OilRig threat group associated with Iran, for example, has extensively used DNS tunneling for command and control communications with infected hosts, compromising 97 organizations in 27 countries and exfiltrating thousands of names. user and passwords.

It is not a threat to be overlooked. Unfortunately, the techniques for discovering and identifying DNS tunneling attempts require analysis of both DNS traffic and the active domains associated with malicious actors, making them difficult and time consuming to perform.

However, it doesn’t stop with tunneling. In a DNS hijacking attack, the wrong actor pushes his way to the position of interim domain owner in order to make changes, just like the real owner would. The phrase “as the owner would do” is the key to this feat, as these attacks are almost always either inside jobs, theft of login credentials, or the result of social engineering or successful phishing.

DNS hijacking attacks give the outside impression that the system is acting normally. The attacker pretending to be the owner of the zone logs in to the registrar and sends some changes, the registrar exchanges data with the registry, and the registry then sends the changes to the appropriate name servers.

One of the most notorious DNS hijacking attacks on record occurred in 2017, when hackers took control of a Brazilian bank’s entire online footprint for five hours. In this feat, the attackers did not rob the bank; they became the bank. The hijacking not only took control of the bank’s public website, but also redirected control to their mail servers, so there was almost no way for the bank to notify customers of the compromise. .

Why DNS Audits are a Necessity

If your DNS policy is like most organizations’, you’ve set up your DNS once and forgot about it, hoping it never changes. But that is precisely why having a professional DNS audit is so important. Your DNS environment is gradually changing and it is important to regularly check your DNS. It’s about maintaining regular maintenance so that you can find and fix issues like server overloads from negative caching or low TTLs, before they become a bigger problem.

There are a few best practices for getting the most out of your DNS audit, including: preventing email spoofing, checking your negative caching, zone delegation issues, optimizing TLL, removing internal IP addresses from external zones, clean up your inactive domains, test the PTR record, and implement a secondary DNS service. To highlight a few:

  • Prevention of fraudulent emails: Beyond employee training, organizations can enforce inbound email authentication and rejection policies, including SPF, DKIM, and DMARC. Most modern mail servers support these layers of authentication, which can help identify and remove spam forged by the incoming mail server. Spoofed phishing emails will likely fail authentication and never get delivered to end users in the first place.
  • Negative caching: This allows a DNS server to keep the record of a negative response from a search. This means that when someone requests a name that does not exist and the server has already looked for it, they remember the last result of the request. It can then respond automatically for a period of time without having to search for the information again. If you set your negative cache too low, it can use too much bandwidth by repeatedly retrieving the same information, overloading the server and potentially causing downtime as a result.
  • Checking the zone delegation: One of the most common issues encountered when performing a DNS audit is poorly delegated zones. To function properly, zones must be configured so that DNS queries are directed correctly. To ensure that they are correct, audits should examine the name servers and verify that the names point to the correct locations.

Taking these steps will dramatically reduce your risk of downtime due to DNS related issues and, as pointed out here, these issues cannot be ignored. DNS protection and auditing are essential defense mechanisms against increasingly insidious attacks.

Michael Kaczmarek is vice president of Neustar Secondurity Solutions

Main image courtesy of iStockPhoto.com

Previous IP under siege | Investigator's opinion
Next 17 End User Domain Names Purchased This Week - Domain Name Wire