When planning your security strategy, don’t forget your DNS

Vishnu Borra , Travis Haglund

ground-up view of city buildings

 

Whether they realize it or not, every organization relies on the domain name system (DNS). DNS is what allows people to find your website, shop on your ecommerce app and send you email. It’s a critical service for not only your business, but the internet as a whole.

As such, it makes sense that DNS servers have become a common target for cyber criminals:

  • 82% of companies have experienced a DNS attack in the last year.
  • 63% of companies have experienced application downtime as a result of a DNS attack.
  • Widespread DNS hijacking was reported in 2017 and 2018, targeting multiple sectors across 12 different countries.
  • 80% of malware uses DNS to establish a connection to a Command-and-Control (C2) server in order to steal data and spread malware.

 

If your business relies on blacklisting Fully Qualified Domain Names (FQDNs) alone to combat DNS-based attacks, read on. Malicious actors and attack vectors are becoming more sophisticated — so your security should, as well.

 

Common DNS attack methods

Your DNS servers, themselves, are not always the target of DNS-based attacks. Instead, the functionality of the DNS protocol is commonly exploited, in order to allow an attacker to exfiltrate sensitive data from your environment.

Often, when a user within your network unintentionally visits a malicious site, a piece of malware is installed on the connecting machine. Once the machine is infected, it will leverage DNS to connect to the C2 server in order to receive instructions and act on them. Once an attacker has a foothold in your environment, the potential of malware spreading is greatly increased.

Other leading DNS attack methods include:

  • Domain hijacking: This can involve unauthorized changes to DNS records and/or your domain registrar, which directs traffic away from the original server to a new (often malicious) destination.
  • DNS flood attack: This is a Distributed Denial of Service (DDoS) which affects the availability of DNS servers.
  • DNS spoofing (cache poisoning): Attackers exploit system vulnerabilities and try to inject malicious data into a DNS resolvers’ cache.
  • DNS tunneling: Once a machine is infected, the malware will abuse DNS in order to steal sensitive data and receive instructions from an attacker’s C2 server.

 

A recent DNS breach reported by SecureList illustrates the scope of the challenge:

“In mid-May [2020], Israeli researchers reported a new DNS server vulnerability that lurks in the DNS delegation process. The vulnerability exploitation scheme was dubbed ‘NXNSAttack.’ The hacker sends to a legitimate recursive DNS server a request to several subdomains within the authoritative zone of its own malicious DNS server. In response, the malicious server delegates the request to a large number of fake NS servers within the target domain without specifying their IP addresses. As a result, the legitimate DNS server queries all of the suggested subdomains, which leads to traffic growing 1620 times.”

 

What makes DNS so vulnerable

The essential nature of DNS functionality within organizations presents many risks for gaps in security:

  • Because internet access is required 24x7, an effort is generally made to ensure that DNS operations are never disrupted, even for security inspections.
  • Most DNS requests are not restricted and are therefore allowed to pass through security devices, creating a potential opening and pathway for attackers to exploit.
  • Some organizations attempt to block DNS attacks by creating a blacklist of “bad domain names.” However, attackers bypass restrictions by using Domain Generation Algorithms (DGA), which allow them to create and rotate thousands of domains to keep the C2 between client and server intact, even if some of the domains are blocked.
  • Manually blacklisting a constantly growing list of malicious domains adds substantial administrative overhead.  

 

How to secure your system against DNS attacks

To address this growing threat, Palo Alto Networks launched a new feature called DNS Security, which is used in combination with the anti-spyware functionality provided through the Threat Prevention license. This feature uses a cloud service that is updated in real-time from various feeds in order to detect traffic to known-malicious domains, as well as domains which were created from a Domain Generation Algorithm (DGA).

The DNS Security feature takes valuable information about known-malicious domains from multiple trusted threat-intelligence feeds and combines it with machine learning and predictive analysis in order to dynamically identify and block access to domains created by DGAs.

When a client sends a request to a malicious domain, the Palo Alto Next-Generation Firewall (with DNS Security configured) intercepts the traffic and compares the DNS request with information within the cloud database. If the request shows up in the cloud database as malicious, or if DNS tunneling is suspected, the DNS request can be automatically dropped. This not only allows the connection to be stopped, but also lets an analyst know that there is a device on the network that may require further investigation.

 

Lean on our experts

We can help you take control of your DNS, through our free DNS management service — included with every cloud account. Learn more about DNS services at Rackspace Technology and our complete range of security solutions.

 

Protect your business, with help from our experts.