DNS Security – Do not let hackers in through the backdoor

Author
Michelle Gehri
Published
10. January 2018

The DNS (Domain Name System) is everywhere, and in most cases not secure enough. Its role is to be the intermediary between IP address and domain name, like a “telephone directory of the Internet”; therefore, it goes through almost every firewall. But some care is needed: the DNS is also one of the pillars of your IT security, which makes it one of the preferred attack targets for cyber criminals. Do you want to know from which attacks do you have to protect yourself? And what precautions do you need to take to be on the secure side? Here you are on the right side – and secure as well.

DNS traffic is everywhere, and it is massive. No wonder then, that most enterprises give scarce attention to it, and never record it. DNS systems are in fact relatively robust, but not (yet) configured for full cyber security. Therefore, it comes hardly as a surprise that they are the targets of a large number of complex attacks, which exploit the communication between server and client. The intents of hackers range from sending spam, to industrial espionage, all the way to political reasons or even cyberwar. 

DNS-based cyber attacks – you must protect yourself

Cyber Security is hugely dynamic, and hackers adapt themselves fast. For an enterprise like yours, effective protection against attacks turns into an ever-growing challenge. Add to this, as mentioned above, that DNS security is unfortunately – and incomprehensibly – still widely overlooked. This is exactly what hackers exploit, shamelessly. So far, there are countless attack forms; and new ones come by the day, ever more sophisticated. This sounds like: can’t be done, doesn’t exist. But let us show you the seven most frequent, and (alas) most efficient forms of attack:

1. Cache Poisoning

Cache poisoning, also known as DNS poisoning of spoofing, is one of the best-known ways of attack. In this method, the DNS resolver’s cache is rigged in such a way, that all requests go to a fake IP address, and therefore lead to a forged domain. For instance, traffic from an entire company network can be routed away from “ebanking.com” to a forged Web site.

2. Zero-Day-Exploits

A zero-day exploit is a kind of attack by which a hacker exploits vulnerabilities that are yet unknown to the public (and to the specialists, more precisely), so that no patch is yet available to fix them. Read this blog post on the subject of how to achieve protection against such attacks.

3. DoS-/DDoS-Attacks

A Denial of Service (DoS) attack consists of sending constant traffic to a specific IP address, for instance millions of queries, an overflow of data packets, or bombarding the mail server. The server cannot manage this flow of queries, which brings it down to its knees. A DDoS attack (Distributed Denial of Service) differs only in the fact that the attack does not come from one single source but from many. The purpose of this attack is to limit the target service, block it, and make it unusable.

4. DNS Amplification

DNS Amplification is a DDoS attack to which an Open DNS Resolver is added. A DNS server should only answer to requests from its own domain; however, if it allows recursive requests – i.e. requests that bring to external domains – it is possible to exploit this instance, in combination with IP spoofing (faking the sender’s IP address) to perform DDoS attacks.

5. Fast-Flux DNS

In this case, the attacker (in most cases a virus) rapidly replaces DNS entries, to hijack DNS queries and thus not be discovered, or to make the discovery and elimination of the attacker’s infrastructure much harder.

6. Domain Phishing

In this attack, an entire domain is “stolen” and redirected. The difference from the original domain address is not apparent. The actual attack can be triggered with stolen sensitive information, for instance passwords or PINs.

7. Data Exfiltration via DNS

In most enterprises, Internet traffic usually goes through a proxy server or a firewall; therefore, it is often difficult for an attacker to draw out vast masses of data from the enterprise’s network, without being found. Data exfiltration happens when the attacker “hides” the data, which he wants to carry out, inside DNS queries, which are not filtered by a proxy. In this way the attacker creates an unfiltered, i.e. unsupervised, way out of the company network.

This is how to protect your DNS

This list of attack methods is obviously not conclusive: there are many more available, many of which are yet unknown. This means that DNS security must be an important component of your cyber security strategy. You need multi-level, carefully selected security solutions. Care for an overview?

  • DNS Firewalls are ever more unavoidable, because they do a real-time discovery of anomalies that can be quickly fended off by cyber defence measures. The firewall also helps protect the DNS from malicious domains.
  • Domain Name Security Extensions (DNSSEC) help assure the authenticity and integrity of data; they can also digitally sign the DNS entries, to make sure that suspicious sources cannot infect such entries.
  • DoS-/DDoS protection systems support attack awareness, and keeping damage to a minimum. 
  • Monitoring and Logging DNS queries help uncover any possible hidden channel that an attacker may have built into the DNS, to tap data out of the enterprise. In this way, «strange» DNS queries can be inspected more in detail.

How really dangerous are DNS attacks?

Cyber criminals have known the potential of unprotected DNS systems for a long time, and have their ways of working around protection mechanisms by adopting several attack methods. In this year alone, DNS-based attacks have much grown; and the trend keeps growing. What is the state of security in your enterprise? The integration of DNS security in your cyber security strategy, and implementation of appropriate security solutions, is considered essential by our experts.

Top DNS protection thanks to Infoblox

Would you like to know what we suggest to you, like we do to our customers? Very simple: the newest solutions by Infoblox , a leading manufacturer of DNS, DHCP, IP address and TFTP management, guarantee top protection to your DNS. These solutions offer services that help you connect users, end devices and networks to one another, that are reliable, scalable, easy to manage and secure. The combination of local, application-based services, and an expanded, decentralised database, guarantees continuity of management, optimal availability, control, and transparency.

Share article