Hyas Blog | Demystifying the Confusion Around DNS Security
As is often the case in cybersecurity, the term “DNS security" can mean a variety of things in different contexts. This confabulation is problematic because it can be tough to talk about DNS security when we all aren’t speaking about the same things. DNS security issues can be broadly separated into threats that target the infrastructure of the protocol itself and threats that utilize the system during the course of their attacks. Here we will lay out the fundamentals of some common types of attacks in both categories to give you a better sense of the threats presented by both, as well as suggest solutions to mitigate both risks in both categories.
DNS Infrastructure Attacks
First implemented in 1983, DNS is a fundamental internet protocol that was built for efficiency and scalability — but not necessarily security. The system is designed to fulfill lookups as quickly as possible, with recursive resolvers passing the request along to DNS servers higher up the chain of authority if the information is not stored in their cache. Recursive resolvers will contact root servers, which will then pass the request to the TLD nameserver responsible for the queried domain’s extension (.com, .net, .uk, etc.). Finally, the request will be routed to the authoritative nameserver for the requested domain, consulting the domain’s A Record to return an IP address.
This is an elegant system with built-in redundancies to ensure that all requests are fulfilled quickly without overloading any one particular server. Because it works so seamlessly, for most users, it might as well function like the electricity coming out of their wall plug, it just works — which means it is often overlooked.
When it comes to understanding the content and intention of the lookups it performs, the system is fairly passive — after all, its primary job is to be accurate and speedy. This has led to the development of several types of attacks that take advantage of features of the protocol to initiate attacks.
DDoS Attacks
One common method bad actors use to attack DNS infrastructure is to carry out denial of service (DoS) attacks, which overwhelm a server with domain requests, stopping legitimate requests from being fulfilled. DoS attacks most often take the form of distributed denial of service attack (DDoS), which uses devices from many separate networks to attack a target in coordination. Often, the devices used in these attacks are machines infected with malware that effectively turn them into tools of the bad actors. The threat posed by DDoS attacks has lessened in recent years as most authoritative DNS providers have hardened themselves against these types of attacks.
DNS Hijacking and Poisoning
A more subtle manipulation of the protocol is called DNS poisoning, a type of infrastructure attack that redirects traffic to malicious domains by causing a server somewhere in the lookup process to return incorrect information dictated by the bad actors. Another threat, DNS hijacking, is somewhat similar to poisoning in that it also redirects traffic by manipulating DNS lookup results. This technique, however, involves either changing a victim’s A record information on a compromised domain registrar or changing the DNS information stored on the target network’s router.
DNS Tunneling
Because DNS is so vital to the day-to-day functions of the internet, DNS traffic is usually allowed to traverse a network quite freely. This can be taken advantage of to transmit data by hiding it within DNS normal requests. In this way, bad actors are able to use malware to exfiltrate data or establish command and control (C2) via DNS without triggering any alarms.
Security Solutions
Much of the responsibility for preventing attacks that exploit DNS infrastructure falls on the nameserver operators. However, there are steps that individual organizations can take to help protect themselves from some of these threats.
DDoS attacks continue to be a threat to business operations, with the amount of traffic bad actors can wield during an attack continually expanding. In an effort to combat this once-ubiquitous problem, a multitude of solutions have been introduced to the market that detect and filter traffic connected with DDoS attacks.
To mitigate the risk of hijacking, administrators should set up two-factor identification and alerts with their registrar to prevent unauthorized access and changes. It may also be a good idea to enable DNSSEC, an extension that provides encrypted signatures to ensure a valid lookup by comparing the signed results to the results obtained from the queried nameserver, helping protect against DNS poisoning. Finally, it’s worth noting that while DNS tunneling falls under the category of protocol manipulation, the solution discussed in the section below offers the best way to thwart these attacks.
Network DNS Monitoring & Mitigation
Instead of attacking the DNS infrastructure itself, bad actors can simply utilize the protocol at some point (or points) during their overall attack kill chain (including ransomware, phishing, and data theft attacks). In fact, around 94 percent of malware fall into this category, making it a vitally effective tool for fighting network threats. For instance, a phishing attack could involve tricking a user into communicating with a malicious domain, exposing themselves to malware or revealing personal information. In this hypothetical, the attack involves DNS, but only in its traditional role of IP lookup. However, because the process depends on the protocol, a solution that blocks communication with known or likely to be malicious domains disrupts these attacks.
Given the scale of our current cybersecurity problem, it's only a matter of time until some form of malware slips by your perimeter defenses and infects a device. When malware is installed on a device, it has no idea where it is or what it should do. It needs to communicate back to its command and control infrastructure to receive instructions before it carries out the final stage of its attack. Blocking this communication means effectively defusing the threat posed by the malware.
Monitoring Network DNS Traffic
Monitoring network DNS traffic can also reveal artifacts from previous attacks that were not completely removed by looking for this same beaconing behavior within your network. It can also be a useful tool for enforcing policies and standards by restricting users from accessing unauthorized domains, such as those hosting adult materials or located in restricted geographic areas.
HYAS Protective DNS
As you can see, there is no shortage of security risks involving DNS. However, while all of these can be called DNS security issues, they are very different in nature. Implementing the right solution means understanding the multitude of ways DNS can be involved in an attack.
Threats that manipulate the infrastructure of the protocol to carry out their goals often require specific actions depending on the threat. However, when it comes to malicious DNS requests generated from inside your network as part of an attack (including tunneling), you only need one solution, HYAS Protect. Not only will it proactively block access to bad domains based on advanced threat intelligence, it can be used to monitor your network for suspicious DNS communications that may be indicative of malware.
Ultimately, both sides of this equation need to be considered. Securing yourself from one category of DNS attacks does not mean you are protected from the other. Therefore, we do ourselves a disservice when we speak in such broad terms as “DNS security.” By understanding that this is a multi-faceted problem, the better equipped we are to deal with it.