Pat Barnes highlights strategies that can move organizations in the right direction when it comes to reinforcing their security practices.
In the words of a meme haiku floating around in IT circles, “It’s not DNS. There’s no way it’s DNS. It was DNS.” DNS is designed and built as a simple to manage directory service that translates from human-readable host and domain names into IP addresses. My company, Neustar Security Services, operates one of the largest DNS infrastructures on the planet and I’m always studying new attacks against DNS or using DNS as infrastructure and designing ways to counter these attacks.
In the 35 years since the Requests for Comment (RFCs) that defined DNS, the protocols, records and management of DNS has gotten more complicated and that means a larger attack surface. But one thing has not changed: every online exchange—web browsing, email, messaging—begins with a DNS query. Because of this, DNS serves as a target for attacks, a technology that assists attacks against other services, and a control layer to detect and respond to attacks.
Maintaining DNS security should be standard practice for any enterprise, and although there are hardening and best-practices guides that have been published for a long time, some of the complications and advanced features of today’s DNS – combined with DNS-associated threats already decades old – can make it easy to misconfigure services. Fortunately, a history of vulnerabilities and attacks against DNS also means there has been time for DNS security tooling to be created. Security teams can give DNS the attention it deserves without straining resources by leveraging today’s automated solutions, such as the DNS Health Check that we delivered earlier this year, implementing off-the-shelf authoritative and recursive DNS services for redundancy to detect and fix DNS errors so that a security incident or outage won’t completely derail a business.
A burgeoning threat landscape
Although DNS security may be a bit of a dark art to Blue Teams and IT operations staff, cybercriminals use and abuse DNS in multiple ways constantly. DNS can be used to provide bad actors with capabilities ranging from botnets with resilient “command and control” (C&C) traffic via domain generation algorithms to DNS tunneling meant to exfiltrate sensitive data. DNS is also itself a target for attacks against availability, to conduct reconnaissance against a domain, and to poison cached responses to redirect traffic to attacker-controlled systems.
Cybercriminals use malware to infect an enterprise’s internal computing assets and add them to their botnets. These botnets are used by cybercriminals for a variety of malicious purposes. For example, they might rent their botnet to other bad actors to contribute to distributed denial of service (DDoS) attacks, or the infected assets may be tasked with exfiltrating sensitive data from the infected enterprise. Botnet nodes query a set of C&C servers to get instructions and upgrades. One of the ways that bot herders keep their C&C servers online for their bot nodes is to use a Domain Generation Algorithm (DGA) on the malware to cycle through a large set of domains.
DNS tunneling—developed as a technique around 20 years ago—is so well known that it has spawned toolkits and instructional videos online, enabling even relatively unskilled attackers with the means to send and receive data and bypass network controls such as firewalls. It’s one of the most consistent DNS-based threats to enterprises, as attackers encode and transmit data inside DNS queries, which are generally allowed through firewalls. Using this technique, attackers can download tools, steal data, or plant and activate malware.
The seismic shift to remote work in the past two years has only expanded the landscape of opportunity for attackers. Home networks often lack the level of security of an employer’s network, leaving end users and their IT assets more vulnerable. With one type of DNS hijacking, for instance, bad actors can gain access to a network through a compromised router and make changes to a device’s DNS settings to redirect users to a malicious site, where they may enter their personal identifying information (PII) or credentials unwittingly.
DNS servers—authoritative and recursive—are also attacked. Since every online service depends on DNS, it is often the target of DDoS attacks. As an operator of one of the world’s largest DDoS mitigation platforms, we consistently see attacks against a website’s DNS if the attackers cannot cause an outage on the target’s webservers.
One interesting area of research we’ve been focused on lately is in the realm of DNS reconnaissance tools, like dnsenum, that check a huge list of potential hostnames against a domain to detect which hostnames are in use. Not only do these tools discover targets to attack, but they generate large amounts of DNS queries. We’ve seen that these tools generate a large amount of NXDOMAIN (hostname not found) responses, oftentimes being a significant portion of a domain’s queries.
DNS spoofing or cache poisoning can similarly compromise information of unsuspecting users. This is when cyber attackers flood a DNS resolver with query responses to cache the bad responses on the server and send traffic to an attacker-controlled server that may appear to be a legitimate site, but that collects PII, login information, or other sensitive information.
DNS threat vectors may be common and nothing new under the sun, but they have proven themselves a formidable challenge.According to IDC’s 2021 Global DNS Threat Report, the global average cost per attack is $950,000, and 87% of organizations have been victimized. For 76% of businesses impacted, application downtime was a result. Further, one in four organizations had their data stolen.
DNS auditing and monitoring are critical
One reason DNS attacks are so successful is because they can be difficult to detect, particularly inside all the volume of legitimate DNS requests. It’s like looking for a needle in a huge pile of other needles. Security teams can rectify that situation by adopting automated tools that enable regular auditing and monitoring of traffic to prevent attacks, primarily, but also limit their scope and impact should they occur.
Three strategies can move organizations in the right direction when it comes to reinforcing their security practices:
- Use DNS vulnerability scanning tools on authoritative servers. We support this in two ways. For many years, we’ve had a professional services engagement for our customers. The services folks look at configurations and traffic patterns to find security vulnerabilities and other misconfigurations. Earlier this year, we automated many of these checks and rolled them out in our DNS Health Check feature so customers on our platform can test themselves on a recurring basis.
- Examine long-tail DNS queries on recursive servers. DNS traffic may not be monitored as closely as other types of traffic since sensitive data typically isn’t part of the equation, but this relaxed approach may be exploited by bad actors. Implementing a good threat intelligence feed can check queries against a variety of authoritative sources to identify and block those that may lead to malicious sites. Some red flags include low-volume, strangely formatted queries, queries to domains known to host botnet C&C servers, abnormal subdomain name lengths, uncommon data flows, and processes or clients that typically don’t communicate on the network.
- Follow up on malware infections. Should a device be infected with malware, take the time to assess the impact network-wide and take appropriate action. It can be dangerous to assume that only one device was compromised once attackers got a foot in the door. Once you have malware samples, analyze them to see what domains and hostnames they query and block those on your recursive servers.
- Use a second authoritative DNS service. More organizations are finding that a second DNS service can provide extra resiliency and diversity when it comes to maintaining DNS security and business continuity. In a recent Neustar International Security Council (NISC) survey, two-thirds of surveyed organizations reported having secondary DNS solutions in place. DNS is mission-critical, and 71% of businesses cited the need to ensure business continuity and reduce the risk of failure in the event of an attack or outage related to their primary DNS. Additionally, 55% noted the redundancy benefit.
- Use a recursive DNS firewall service for remote users. Most organizations today are using these solutions as a cost-effective measure to protect users on compromised home routers or on the road in coffee shops and hotels. This helps to restore some of the anti-malware controls in your offices that were lost when users when fully remote.
DNS threats may be old hat, but they have proven to be effective for bad actors seeking to disrupt businesses and access sensitive information. Following best practices and incorporating largely automated solutions can help enterprise minimize risk while freeing up staff time to deal with other looming threats.
Visit AITechPark for cutting-edge Tech Trends around AI, ML, Cybersecurity, along with AITech News, and timely updates from industry professionals!
