The impact of cyber attacks on the Domain Name System (DNS) has been highlighted recently with news stories about a series of DNS hijacking attacks targeting governments and other organizations in Europe and the Middle East.
This is just the latest DNSpionage campaign amongst other domain-focused threats, that aim to compromise vital elements of DNS infrastructure. Attackers are becoming ever more creative, and brazen, as they find new means to sabotage the DNS system, resulting, primarily, in users and applications being misdirected from an authentic website to a malicious attack vector.
In its round-up of the six most noteworthy cybersecurity threats of 2019, Cisco highlighted DNS Hijacking, describing the ‘Sea Turtle’ attack as an example of this. The Sea Turtle hijackers pursued organizations that control top-level domains, and exploited multiple vulnerabilities to gain access to the name servers for entire domains. They changed the DNS records for webmail servers, allowing them to intercept connections from users logging into webmail systems.
The net result was that they could not only steal users’ credentials, but also read all the data passed to and from the webmail system and the users.
Sea Turtle, whilst renowned, is just one DNSpionage case. Other forms of domain compromise include DNS flooding, a DDoS in which DNS servers are overloaded so they can no longer work; DNS cache poisoning, or spoofing, where malicious data is injected into the DNS resolvers’ cache; and DNS tunnelling, where encoded data from other applications is included inside DNS responses and queries. There are others, and the incidence and variety of these attacks is a strong indicator of just how often malicious actors are able to breach defenses, if they exist at all.
Such is the seriousness of these attacks on mission critical DNS, ICANN, the Internet Corporation for Assigned Names and Numbers, issued a warning of an ‘ongoing and significant risk’ to key parts of the domain name system infrastructure. This was underlined by the UK’s National Cyber Security Centre which has provided advice to companies on how they can protect themselves.
Building fortifications against attacks
Against this backdrop, there is a pressing requirement for DNS redundancy and organizations should be looking for solutions that give them availability assurance. Anycast DNS, for example, is a resilient routing method that can divert DNS requests to an available server if resources are impacted by a cyberattack or due to internet connectivity problems.
Two-factor authentication and single sign-on are also recommended to strengthen access controls. Organizations using scripts or APIs to update DNS, should deploy strong authentication keys and restrict key usage to valid sources such as IP whitelisting for DNS registrars, DNS control panels and APIs. They can also monitor to assess any alterations to DNS records and tie audit logging of their DNS vendor into their SIEM or other monitoring systems.
TSIG (Transaction Signature), a DNS networking protocol, can provide enhanced security for zone transfers when operating multiple DNS zones. By cryptographically signing zone data, the source of the zone transfer is validated as trusted, preventing attackers from intercepting this communication and injecting fake DNS records as part of a DNS spoofing attack.
Most importantly, companies must enable DNS security extensions (DNSSEC), which validate DNS responses using digital signatures based on public key cryptography. This means it’s not the DNS queries or responses that are cryptographically signed, but the DNS data, which is signed by its owner. This prevents resolvers from accepting fake DNS information and serving it to end users.
Addressing the barriers to DNSSEC adoption
There’s no doubt that for the internet to be secure, DNSSEC should be widely deployed, but many companies believe that the risk of attacks prevented by DNSSEC doesn’t warrant the effort and assumed trade-offs of enabling it.
Some DNSSEC implementations will struggle to work with advanced traffic routing or with two or more providers if they offer proprietary DNS features, so the key is to find a solution that can implement DNSSEC using ‘online signing’ that can break down technical barriers. This approach securely signs DNS responses on the fly, retaining support for all the real-time DNS traffic management features.
It allows organizations to continue using DNS to optimize end user experiences and manage multiple CDN providers, for example, while still ensuring their zones, and of course, end users, are fully protected against malicious attacks. As a result of an IETF working group, new implementations of DNSSEC can also be configured to function with multiple providers and traffic management features intact.
Recognizing the urgency
Unfortunately, the importance of DNS is all too often overlooked when companies are planning their security strategy. Cyber-criminals are wise to this, and are reaping the benefits of multiple websites and online services without appropriate or updated protection. They have realized that because DNS is one of the most important means to enable application delivery and route internet traffic, it’s also a super-critical attack vector.
To protect this essential technology—and in turn, our online services and customers—moving forward, it’s time to push DNS up the security priority list and recognize just how valuable it is.