Domain Name System (DNS): Researchers from Cisco Talos announced a significant new cyber-espionage campaign in November 2018 in which hackers foraged logins from Middle East governments and private-sector enterprises. The so-called ‘DNSpionage’ attacks were subsequently claimed by FireEye to be part of a highly successful Iranian state-sponsored campaign to steal credentials from victims – operating at “an almost unprecedented scale.”
The attacks and other major campaign revealed earlier this year, shone a spotlight on an often overlooked part of IT infrastructure: the Domain Name System (DNS). This foundational layer of the internet represents a potential open door in an organization’s IT infrastructure for hackers to sneak through. Closing and guarding it will require an industry-wide response.
What Is Domain Name System (DNS)?
Often described as the ‘phone book of the internet,’ the Domain Name System (DNS) protocol acts like a kind of a digital signage system, converting the domain names humans type into their computers into the IP addresses machines need to communicate online. Without it, simple tasks such as web browsing would become extremely labored intensive, making it difficult for users to find the websites, apps and connected machines they’re looking for online.
This phone book is spread across a dispersed global network of the Domain Name System (DNS) servers designed to ensure users are pointed to the right web properties. When a browser query hits a recursive resolver, usually run by an ISP or other third party, the recursive resolver will then talk to an authoritative global root server which stores info on top level domains (TLDs), and, in turn, an authoritative TLD name server which has IP address info for second-level domains within the TLD. The request then goes to the domain name server, which returns an IP address so the user can visit the relevant site.
Domain Name System (DNS): One Vector Attack And Multi-Vector Attacks
This complex web of interlinked servers run by ISPs, telecoms companies and some large corporate means a potentially huge attack surface for hackers to target. The Domain Name System (DNS) was also designed and built decades ago, long before commercial cybercrime, with usability rather than security in mind. This leaves it open to abuse.
According to Paul Vixie, Domain Name System (DNS) pioneer and CEO of Farsight Security, there are three main types of DNS-based attack: amplification, poisoning (aka spoofing) and bypass. The former is one of several ways to DDoS a victim organization via DNS.
“DDoS amplification occurs because DNS uses a stateless protocol and because requesting source IP addresses are trivially forged,” he explains further. “This means I can cause your DNS server to receive tens or even hundreds of gigabits of unsolicited traffic by forcing your IP address on requests to high performance DNS servers all around the world. That attack will make your server, and perhaps your network connection, unusable.”
Domain Name System (DNS) poisoning occurs “when an attacker can launch well-timed answers during the brief interval when a client is waiting for a real answer to an outstanding question,” he continues. Sometimes this is achieved by attacking the DNS servers themselves to change the answers to queries, stored there, diverting users unwittingly to phishing or malicious sites. Also known more generically as DNS hijacking, this is the technique used by those Iranian attackers.
Domain Name System (DNS) bypass threats happens when organizations or netizens use third-party services like DNS-over-HTTPS or Google’s 220.127.116.11. “These services are well-intentioned but are the policy-ignorant, and many risks to the user or to the rest of the user’s network are able to bypass security controls when the user bypasses the local name service,” explains Vixie.
One emerging bypass threat that has hit the headlines recently is called a Domain Name System (DNS) rebinding attack. Although it has been known about for some time, concerns are growing. Recently described by Tripwire as “a technique that turns a victim’s browser into a proxy for attacking private networks,” it could spell serious trouble in the future as billions of IoT devices are vulnerable to the threat. It could become an increasingly popular way to sabotage or conscript these connected endpoints into botnets.
Domain Name System (DNS) also provides a handy channel of stolen data to leave the organization. As traffic is essential to the smooth running of the business, most firewalls are set to the whitelist DNS traffic. By using so-called ‘tunneling’ techniques, attackers can hide data in DNS packets and smuggle it out of the victim organization.
Domain Name System (DNS): A Wait-And-See Policy
Threats to Domain Name System (DNS) are soaring. Just months after the US CERT issued an emergency directive following the DNSpionage attacks; researchers discovered another sophisticated campaign ongoing since 2017. The so-called Sea Turtle attackers hijacked DNS servers around the world to harvest sensitive log-ins from military and government organizations in the Middle East. However, it’s not just large-scale nation state-like attacks that are on the increase.
Over three-quarters (77%) of global organizations were hit by a DNS attack in 2018, with the average firm suffering seven attacks, according to EfficientIP research from last year. Some 40% of respondents suffered cloud outages, one-third (33%) were victims of data theft and 22% lost business as a result. Globally, the average cost per DNS attack rose 57% year-on-year, but in the UK the figure soared 105%, with firms paying nearly $4m annually as a result.
The bad news is that the Domain Name System (DNS) attacks are likely to become more popular as security measures like IDS/IPS, next-Gen firewalls and endpoint tools deter hackers from using other threat vectors, according to the Infoblox technical director for Western Europe, Gary Cox.
“This is the game of cat and mouse that is continually being played as vulnerabilities are plugged,” Gary Cox explains.
The DNS threat will also get harder to spot, adds Nominet head of IT security, Cath Goulding.
“There are various different devices that now connect to external networks,” she explains. “It’s no longer just desktop terminals, but printers, lights, access controls, factory machines and more. With so much traffic going through the DNS, it’s very easy to hide malicious packets in among genuine data.”
Domain Name System (DNS): Taking On The DNS Threat
Combatting the growing Domain Name System (DNS) threat starts with improving awareness. “Despite the danger, so many businesses seem to turn a blind eye to protecting their DNS. In fact, 75% of the C-suite say they have gaps in their knowledge relating to how the DNS can be used in cyber-attacks against their organization,” argues Goulding.
However, the very ubiquity that makes DNS an attractive threat vector for attackers can make it a useful place from which to mitigate threats.
“What people don’t realize is that so many threats can be stopped at a Domain Name System (DNS) level, as almost all traffic has to pass through there,” Goulding explains. “Monitoring it in real time means that threats can be caught and dealt with before they go further. Many techniques used by hackers can be caught and stopped by DNS monitoring, snuffed out before they get through to attack critical systems.”
Experts also point to the need for improved employee security awareness, which will help to teach them not to click on malicious phishing links that may be used as part of rebinding attacks.
“Domain Name System (DNS) firewalling/response policy zones can also be a great asset in the fight against DNS rebinding, but its effectiveness is directly aligned with the quality of intelligence data that it is acting on. High quality, highly curated threat intelligence with low false positives should be your starting point,” adds Infoblox’s Cox.
“In addition to thinking about ways to protect against the Domain Name System (DNS) rebinding, companies should be checking with their IoT suppliers to ensure APIs and web interfaces are secure in the first place – so using an HTTPS connection by default instead of HTTP would be a good starting point.”
ISACA board director, Asaf Weisburg, argues that basic housekeeping can go a long way to improving the resilience of the Domain Name System (DNS) servers.
“This includes keeping the DNS server up-to-date and upgrading to the latest version available, as well as conducting a periodic review of logs, DNS zones configuration and permissions,” he says. “Hardening a DNS server may further improve its resilience, including by restricting zone transfers to specific hosts, by allowing transfer to trusted servers only, disabling DNS recursion to prevent cache poisoning attacks, and by applying security through obscurity by forbidding the BIND version from being exposed.”
DNSSEC (Domain Name System Security Extensions) has been touted as a great way to prevent Domain Name System (DNS) hijacking and poisoning. Yet despite being developed in the late 1990s, take-up has been disappointingly low, leaving plenty of exposed servers for attackers to target.
In fact, less than 20% of the world have adopted the specifications, according to APNIC. It remains to be seen whether a recent plea from ICANN for greater adoption of the standard finally spurs the concerted, industry-wide response required to make a serious difference.
Whatever happens, it looks like the DNS is going to play an increasingly important role in cybersecurity over the coming years, for both defenders and attackers.