Is your DNS well protected?

/ Blog

DNS is one of the weakest links in your organization's security

Security of a business is as strong as its weakest link.[1]

 

If you are working in the cyber security industry, you would have definitely heard this phrase or its subtle variations irrespective of your position in your business. Since the phrase absolute security is a myth,[2] a business shall always strive to achieve the highest possible level of security. While discussing security mechanisms to be implemented, DNS security is often overlooked. Whether you are a decision maker or in the management board or an entry-level employee, you must accept this fact that DNS is one of the weakest links in your organization’s security.

And when we are talking about DNS security, the Mirai malware attack on Dyn, a US-based internet performance company & web application security management company in 2016 cannot be ignored.[3] Then, it was the biggest DDoS attack at a whopping 1.2 TB per second. With Dyn providing managed DNS services to a clientele including CNN, Spotify, BBC, etc., all these websites went down within a fraction of time.

In this article, we will briefly discuss the working of DNS and then elaborate on the techniques used by the attackers and the preventive measures you must follow.

 

Working of DNS

Essentially, DNS is how the entire Internet works across the globe. For example, if you want to open https://www.eb-qual.ch/, your browser requires an IP address to display the website as it understands the IP addresses, not the name of your website. To get the IP address, your browser will take following steps –

  1. Check if IP address for the entered domain is stored in the system’s host files
  2. Send the request to a resolver who translates a domain name into IP Addresses. Commonly known resolvers include Google, OpenDNS, etc.
  3. If the resolver is not able to provide this data, the request will be referred to the Root Server.

 

 

The below-given graphic comprehensively explains this process –

How DNS works

Figure 1: Working of DNS (Source: Heimdal Security)

 

This entire process of translation of a domain name into IP address and pointing the web traffic towards the required resources is carried out by DNS. You can check DNS settings on your computer by going to Control Panel > Network and Internet > Network and Sharing Center> Internet Connection > Properties > Internet Protocol Version 4 (TCP/IPv4).

DNS Settings in Windows

Figure 2: DNS Settings in Windows

 

Who can set up DNS?

DNS Setting can be configured in three ways – by your ISP, manualy, and vendor-specific DNS address.

Who can set up DNS?

Figure 3: Who can set up DNS?

 

How do the attackers compromise DNS Security?

DNS was not designed with considering security as one of the vital components to its effective working.  It can be compromised in the following ways –

1. DNS Cache Poisoning (DNS Spoofing)

Cache Poisoning is basically adding false or incorrect information to DNS server’s cache. The attackers send bogus replies using spoofed IP addresses so that if this reply arrives before the genuine response, it may get cached. Once this bogus reply is cached, all the subsequent information requests will be responded with the said bogus reply until the stored false information is expired.

DNS Spoofing

Figure 4: Visual Representation of DNS Cache Poisoning/DNS Spoofing (Source: keycdn.com)

Cache poisoning generally takes place at a resolver’s level. However, a domain name owner can decide the TTL (time to live) i.e. the period of time for which the stored information in the cache will remain valid. After TTL time is over, the information needs to be retrieved.

2. DNS Hijacking

DNS hijacking is a more straight-forward attack which involves changing your DNS settings altogether. The attackers change your DNS settings and redirect to a DNS server of their choice. The results received by the user will be either corrupt or infected with malware with the basic motive of phishing or pharming.

DNS Hijacking

Figure 5: DNS Hijacking (Source: Kaspersky Lab)

These types of attacks are generally carried out using Trojans which are purposely designed to change your settings from Automatic to Manual. Apart from trojans, DNS hijacking can also be carried via –

  • Social engineering
  • Exploiting a vulnerability in the server’s OS
  • Delivery of malicious files via phishing emails

If an attacker has a broader aim, DNS hijacking is a preliminary step in order to create a botnet of infected machines. Other motives include extraction of personal and financial information, steal data, and any other information which can increase the reach of an attacker.

3. Denying DNS Services

Carrying out a DDoS attack is the easiest way for the attackers to compromise DNS servers of a business. With botnets available for rent at a per hour price,[4] denial of service is an imminent threat. The silver lining is that by taking appropriate steps for mitigation of a DDoS attack, the threat can be effectively negated.

 

Preventive Measures – Protecting your DNS

Here are a few suggestions from our experts at eb-Qual to level up your DNS security –

  1. Secure Server Management: This factor has a significant impact on businesses having present in the multiple countries across the globe. However, for small and medium-sized businesses, ensure that your service provider has implemented expected level of security measures.
  2. DDoS Risk Mitigation: If your organization is not capable of defending itself against a possible DDoS attack, you should immediately get in touch with your security service provider.
  3. A Patch Management System shall be implemented to keep the servers up-to-date so that they cannot be exploited using publicly-known vulnerabilities.
  4. Consider using a hidden primary name server if the primary name server of your business is used only for serving data to the slave name servers. Doing so makes it easier for the security team to update and carry out maintenance activities without causing any downtime to your domain.
  5. Monitoring your name servers regularly to quickly identify unexpected or malicious activities.
  6. Make it compulsory for the employees to authenticate using digital signatures when they log in to the DNS server for making any changes.
  7. In case of domain registrars, enable following features if provided –
    1. 2FA
    2. IP address dependent login
    3. DNS Change Locking

 

Feel free to get in touch with our experts specializing in DNS Security to receive assistance and guidance while securing your DNS servers.

written by Raj Pagariya

[1] https://www.esecurityplanet.com/views/article.php/3922501/Security-is-Only-as-Strong-as-the-Weakest-Link.htm

[2] https://www.tripwire.com/state-of-security/security-data-protection/prism-and-the-myth-of-absolute-security/

[3] https://www.forbes.com/sites/davelewis/2017/10/23/the-ddos-attack-against-dyn-one-year-later/

[4] https://www.ukfast.co.uk/it-security-news/botnets-for-hire-for-pound6-per-hour.html