With an increasing proportion of daily business reliant on the public internet, having effective Domain Name System (DNS) security in place has never been more important. Interacting with malicious web sites or downloading infected files can cause significant disruption and financial loss.
Unfortunately, however, DNS security is often ignored by organisations. Within many IT departments, it’s uncontrolled, unmonitored and not well understood. This is resulting in it becoming an increasingly attractive attack vector for cyber criminals who are using DNS-based techniques to infiltrate corporate networks.
According to the Arbor Networks 2018 Worldwide Infrastructure Security Report, which is based on a survey of 390 network operators and large enterprises, 16 per cent of respondents admit they have no group responsible for DNS security. Of those surveyed, 25 per cent have witnessed DNS-based Denial of Service (DoS) attacks and 13 per cent say they had no visibility.
As well as mounting DoS attacks, criminals can also use DNS-based techniques to hide command and control networks. Other techniques include exploiting DNS by hijacking and exfiltrated data using techniques such as DNS tunnelling.
The some of the risks stemming from poor DNS security include:
- Having zero visibility: It’s not possible to secure what can’t be seen, so if threats are not appearing on the security radar screen it will be impossible to prevent them. This can be mitigated by gaining increased awareness and visibility within the network infrastructure by logging resolutions, visualising data and deploying DNS analysis tools.
- DNS cache poisoning: This is perhaps the most well-known DNS vulnerability and stems from a fundamental flaw in the DNS protocol that was discovered in 2008. It facilitates phishing attacks by poisoning a seemingly legitimate URL and diverting traffic to a compromised site where user details can be harvested. This can be mitigated by using trusted recursive DNS servers.
- DNSSEC: This protocol was designed to enhance DNS security, however it can actually make it worse. It has not been widely adopted and can only be effective when the vast majority of sites on the internet have done so. Mitigation is difficult if it does not become widely used.
- Foot printing: Using this technique, a cybercriminal maps a corporate network and then uses the information gleaned to mount an IP spoofing attack. Again, mitigation comes down to visibility as well as configuring zone transfers within the infrastructure.
Moving beyond DNS security
DNS security is inherently limited because there is only so much insight that can be gleaned from a name and a number. Queries undertaken by DNS security solutions are effectively limited to:
- Age and history: Was the domain recently registered or transferred?
- Obscurity: Have there been queries made to the domain before?
- Record analysis: How many records are returned from each query?
- Reputation: Are the domains or IP addresses resolved as being safe?
While these factors are clearly significant, it is important that an organisation goes beyond this to ensure effective network security and, for this to be achieved, other security tools are required.
For example, an organisation’s IT team needs to have the ability to examine encrypted traffic to see the content that is coming back from a site visited by a staff member. There needs to be in place tools that can support techniques such as destination-based blocking, browser control, in-line content control and risk-based scoring.
The need for this extra security is made even more important because of the increasing amount of data that is coming from content delivery networks (CDNs). When a user visits a known legitimate site, much of the information served to them could well come from a third-party CDN and conventional DNS security would have no way of preventing this. For this reason, the IT department needs content inspection capabilities to ensure this doesn’t result in malware entering the organisation.
Also, growth in the use of filesharing services such as Box, Dropbox and Google Drive also open up the potential for infected files to enter an organisation. Again, conventional DNS security will provide very limited (if any) protection against these types of threats.
It’s important for IT departments to review the DNS security, identify any blind spots that might exist, and deploy tools and processes to overcome them. By taking these steps now, the organisation can be confident it is protected from DNS-based threats regardless of the form in which they arrive.