Michael Kaczmarek at Neustar explains why Domain Name System Security Extensions are a critical part of any cyber security strategy
The Domain Name System (DNS) is a foundational part of the internet. Its hierarchal structure is well known and well understood. However, DNS is much more than a single set of products. There are many interconnected operations within the address resolution process – and therefore various stages in which bad actors can inject themselves.
Due to the DNS’s complex nature, it is still seen as an appealing target for malicious actors. In April, more than 100 million connected IoT devices, thousands of which were physically located in the UK, were thought to be at risk from nine newly disclosed DNS vulnerabilities. Collectively, these vulnerabilities were dubbed NAME:WRECK.
With attacks presenting themselves in a number of different ways, it is an ongoing challenge to protect against them. One primary category of DNS attacks includes those that deliver bad or false answers to a DNS query, such as cache poisoning, domain hijacking or man-in-the-middle.
The goal of these attacks is to redirect users by sending them to a malicious site, rather than to the actual site they are seeking. When successful, this exploit allows the attacker to effectively take down an online presence or impersonate the legitimate site.
Unified goal, separate targets
While each of these DNS attacks have the same goal, different ones target different elements within a DNS query and the overall infrastructure. This means they can be difficult to identify and mitigate.
Cache poisoning attacks, for example, use brute force by sending hundreds of bad address ‘resolutions’. Using this method, there is a chance that the bad address might be cached. The bad responses usually include a very long Time to Live (TTL) to give them staying power within the ‘poisoned’ recursive resolver.
In a domain highjacking attack, the bad actor somehow works their way into the position of acting as the domain owner in order to make changes, just as the owner would. These attacks are nearly always either inside jobs, theft of login credentials, or the result of successful social engineering or phishing.
One of the best-known DNS hijacking attacks on record happened back in 2017, when hackers took over an entire Brazilian bank’s online footprint for five hours. The attackers changed the registration for the bank’s online properties, redirecting them to servers that had been provisioned in the cloud. Anyone visiting the bank’s URLs during that period were sent to look-alike sites that had been built to simulate the bank’s own sites.
Where DNSSEC comes in
During the Brazilian bank heist, the attackers did not rob the bank; they became the bank. The hijack not only took over the organisation’s public website, but also redirected control over its email servers, so there was almost no way for it to warn customers of the compromise. Not only that, but the hijacked sites also installed malware designed to look like an update to the bank’s trusted communication software. Similar incidents have occurred since this takeover.
Luckily, there is a means to defend against these attacks and others like them – this lies in the Domain Name System Security Extension (DNSSEC).
DNSSEC is a method of validating the legitimacy of a DNS address resolution and provides end-to-end data integrity checks. The protocol uses asymmetric encryption, also known as public key cryptography. By using encrypted digital signatures rather than encrypting the traffic, query results validated with DNSSEC are confirmed to be the correct and unmodified responses. If the signatures do not validate, then the request will fail, and the users will not be sent to a bad site.
Unfortunately, DNSSEC is still widely underutilised and doesn’t get the same attention that many other security solutions do. It’s only when things go wrong that organisations realise DNSSEC could have helped them.
Protecting your DNS
DNS is central to business operations; after all, virtually every communication on the Internet begins there. You can ultimately save both time and money by considering how essential DNS is to your business and taking steps to protect it proactively, rather than having to scramble to recover in reaction to an exploit.
As part of this, you should make sure to use good account hygiene and access controls based on job roles for all DNS related accounts. There also needs to be adequate capacity and protection in the case of a DDoS attack against your DNS infrastructure. As in many other cases, your site doesn’t have to be taken offline to be negatively affected – just slowing things down could lose you customers and engagement.
Finally, implement DNSSEC. It’s the only way to ensure that the site information returned from a query is legitimate. While DNS security does take some initial effort, if well-implemented the benefits are huge.
Michael Kaczmarek, VP of Security Solutions, Neustar
Main image courtesy of iStockPhoto.com