The Domain Name System (DNS) is known as the Internet phone book, quickly connecting users of their devices to desired content. But what appears to most users to be transparent and instantaneous actually offers multiple opportunities for bad actors to slip through the cracks. In April 2021, a disturbing report reported that approximately 100 million devices worldwide were susceptible to one of nine vulnerabilities affecting DNS implementation. These nine vulnerabilities have been grouped under the appropriate nickname NAME: WRECK.
NAME: WRECK has been found to affect some common TCP / IP stacks used in everything from computing devices to the Internet of Things (IoT) and operational technology (OT). Think about: sensitive and vital equipment such as medical devices or critical industrial control systems (ICS) such as power and electrical equipment. Organizations across sectors, from healthcare and government to financial services, technology, manufacturing and more, could be affected. NAME: WRECK has the potential to subvert DNS, resulting in denial of service or remote code execution; maybe even by expanding the attack surface in the process.
As in most aspects of cybersecurity, there is no silver bullet to protect against all types of DNS attacks, whether stimulated by NAME: WRECK or other vectors. The best defense requires the implementation of a multitude of measures, such as carrying out consistent security reviews, monitoring the management of vulnerability patches, maintaining good account hygiene and ensuring controls. appropriate access points. A less well-known tool that is effective against certain attacks is DNSSEC, or DNS security extensions. DNSSEC can be extremely effective in preventing DNS attacks that provide wrong or bogus responses to a device’s query, including cache poisoning and domain hijacking. DNSSEC can validate a DNS address and provide end-to-end integrity checks to ensure a high degree of confidence in a connection.
The dangers of cache poisoning, domain hacking
Normally, when a user enters a website address on their device, the device performs a DNS query through its stub resolver. This resolver is configured to request a DNS response, which is typically addressed to a large recursive caching resolver. If the address is already in the cache, the stub resolver is notified and the user moves to the known site. Otherwise, the recursive resolver takes action to find a response, requesting a response from various authoritative servers. Authoritative servers can only provide a response for their own domains and what a domain name owner has chosen to post (web pages, email, content servers, and other locations) to that zone.
With cache poisoning, bad actors do just that: they poison the cache of a recursive resolver with bad or bogus data. They spoof responses and flood recursive resolvers with them, with the aim of caching some bogus responses as legitimate. False answers typically include Long Lifespan (TTL), and this longevity provides an extended opportunity for exploitation. As a result, many users may be redirected to a bogus site created to capture sensitive or personally identifiable (PII) information before the security breach is detected.
In domain hacking, bad actors take over a domain and make changes, masquerading as the rightful owner. Such attacks are often made possible when cybercriminals gain access to login credentials, for example through successful phishing or social engineering attempts or outright theft. In some cases, such attacks can be perpetrated by someone within a company. With DNS access, criminals can fill systems with fake data which is then stored and sent to users, directing them to malicious sites.
DNSSEC provides a critical security layer
DNSSEC offers companies an additional weapon in their security arsenal. Each DNS owner has both a private key, kept secret, and a public key, published through DNS to be visible and usable. Essentially, a key is a company’s digital signature, and DNSSEC uses asymmetric or public key encryption. The DNS owner signs their data with their private key, and anyone with the public key can confirm that the signature is that of the owner. A positive association ensures that the data is safe and unmodified, while any change to the DNS data results in a validation failure and prevents the connection.
DNSSEC can ensure that users access your online presence with confidence and is one of the many tactics that should be implemented to secure Internet communications. Any failure in the DNSSEC chain of trust will cause the DNS resolution process to fail, thwarting attacks such as cache poisoning or domain hijacking.
While the initial adoption was once technically expensive and resource-intensive for enterprises, deployment of DNSSEC has become mainstream in recent years as a growing number of third-party cloud DNS vendors have stepped in to simplify the implementation process. work and perform ongoing maintenance as required to ensure continued safety.
As a security professional, make sure you have DNSSEC as one of the many arrows in your quiver.