In our last article, we shared thoughts on how DNS can be used as an effective security control for your organization by functioning as a Firewall. In this article, we step back and focus security landscape as it pertains to DNS. This article is designed to educate and illustrates the complexities of managing your DNS architecture.
Some of the statistical insights will leverage data collected by the International Data Corporation (IDC) and released in their 2021 Global DNS Threat Report. The report interviewed 1,114 across various industries and found that 87% of them had suffered some form of DNS attack in 2021.
Top DNS-Based Attacks
DNS should be considered an essential piece of your security strategy and architecture. It can be used to detect threats, mitigate attacks, and can provide organizations with a way to control devices on a network (i.e., it can be used to find if a device is hacked). It can also be used by bad actors to cause havoc on your network, from siphoning data to performing reconnaissance on your internal network.
Here are a few DNS-based attacks every organization should be aware of if you’re building, and managing, your DNS infrastructure:
|Synonymous with DNS spoofing (a.k.a, DNS cache poisoning, DNS spoofing attack, DNS Phishing). An attack where altered DNS records are using to redirect traffic to malicious sites.
|Attacks that use DNS to distribute malware, often abuse domain names that look alike (e.g., gooqle.com) but direct users to websites hosting malware.
|These attacks turn a few DNS queries into many, amplifying the volume, and using that amplification to attack other targets. It can also be used to disrupt your DNS via similar techniques.
|Also known as DNS redirection, is an attack in which DNS queries are incorrectly resolved and redirect users to malicious sites.
|This type of attack is another form of redirection but is typically focused on the bad actor routing traffic to their Command and Control (C&C). It is also used for data exfiltration.
According to the IDC, the most damaging outcome of DNS attacks was service downtime. In 2021, of the various organizations interviewed, they found that cost of one DNS attack averaged $950k in 2021. It was also reported that it took an average of 5 hours 37 minutes to respond to DNS attacks.
In recent years, there have been a few real-world examples that are worth reviewing and being aware of.
Most recently, was the research conducted by SEC Consult Vienna, in which they identified that 146 web applications were susceptible to vulnerabilities in their DNS resolution. This finding was built on vulnerabilities first identified in 2008, but highlighted the dangerous of cache poisoning attacks. In the scenario they provided, they were able to hijack “forgot password” links to redirect users to the servers they controlled.
Vulnerabilities are also something to be extra aware of. For as old as DNS is, vulnerabilities exist, and one of the most recent came to light in 2021 with the disclosure of tsuName. Put simply, this vulnerability abuses misconfigurations in DNS resolvers to perform Denial of Service attacks against Authoritative DNS servers.
Protecting Your DNS
DNS should be treated as critical infrastructure and be part of your overarching security strategy. Two very important aspects of having an effective DNS security strategy for a self-managed DNS resolver are redundancy and logging.
Here are a few things to consider when working to secure your DNS stack:
|A DNS forwarder is a DNS server that performs DNS queries
on behalf of another DNS server. These forwarders can help offload DNS duties while still working off your main construct.
|Caching-only DNS servers
|A caching-only DNS server is not authoritative for DNS domains. It’s configured to perform recursion or use a forwarder. Internal DNS servers can be configured to use the caching-only DNS server as their forwarders and the caching-only DNS server performs recursion on behalf of your internal DNS servers.
|A DNS advertiser is a DNS server that resolves queries for
domains for which the DNS advertiser is authoritative. What sets the DNS advertiser apart from any other DNS server hosting DNS zone files is that the DNS advertiser answers queries only for domains for which it is authoritative.
|Protecting Against Cache Poisoning
|By default, most DNS servers offer caching. This is usually a design designed to provide optimal performance, but if not managed or protected it can be the root cause of cache poisoning attacks. If you’re unable to manage the cache appropriately we recommend disabling it in the DNS servers.
|Control Access to DNS
|For DNS servers that are used only for internal client queries, configure firewalls to block connections from external hosts to those DNS servers. Consider split-brain operations when managing internal and external requests via your DNS.
Building and managing your own DNS infrastructure should be done in a thoughtful and considerate manner to the various security threats you are exposing your organization too. Be considerate of the above, and the various other vectors not mentioned above.
Alternatively, you can choose to offload your DNS responsibilities to organizations like CleanBrowsing and we take this headache off your hands.
Content Filtering w/CleanBrowsing
CleanBrowsing provides a cost-effective DNS-based Content Filtering service that blocks access to unwanted content like malicious sites and online pornography. Pricing