Have you ever been stuck in a situation where you had to call one of your loved ones – a family member or significant other – but you did not have your mobile phone with you and so had to use someone else’s phone? If your answer is “Yes!” and you did not remember their phone number, you should not feel bad about yourself as most of us do not know any of the numbers we have conveniently saved on our devices by heart.
Applying a similar scenario to the cyber world, imagine if you had to remember and type in a specific sequence of numbers every time you wanted to visit a website. How inconvenient and impractical would that be? That is where the DNS protocol comes into play to make life easier for us.
What is DNS?
Short for Domain Name System, DNS is the standard communication protocol on the internet. It converts human-readable domain names to numerical Internet Protocol (IP) addresses that enable network infrastructure components to identify and interact with one another. In that sense, DNS can be said to function like a phonebook that facilitates users’ ability to access the internet by providing easy-to-remember names for internet-based services. The DNS system consists of multiple interconnected and hierarchical DNS servers that work together to ensure reliable and efficient name resolution. DNS queries and responses exchanged between devices across a network are known as DNS logs and contain valuable information such as the requested domain name, source IP address, the type of query, and the timestamp from DNS servers. Apart from that, DNS performs several other crucial functions such as load balancing, which helps distribute traffic load across multiple servers to allow the smooth and reliable performance of websites and services.
What is DNS security?
DNS security relates to all the protection measures that involve the DNS protocol. DNS was born in the early days of the internet when security threats were scant and DNS traffic was allowed to pass freely through network firewalls. However, as the number of internet users and networks grew, so did the popularity of DNS in the eyes of malicious actors as an attack vector that could be exploited to compromise network security and deceive users into divulging personal information. In what follows, various DNS-based vulnerabilities will be discussed in more detail.
Why is DNS security important?
Given the history of how DNS was invented and its crucial role in the proper functioning of network components, it is little wonder that DNS security threats are among the most common types of cyber threats that occur today. However, when combined with appropriate security measures, DNS can be turned into a powerful layer of defence against cyber threats by allowing users to filter and monitor traffic for any anomalies indicating suspicious activities such as phishing and malware attacks. The last point has significant implications for network security in that it views DNS as an invaluable asset, rather than a liability, that can be utilised to stay one step ahead of malicious actors. Active DNS security, therefore, empowers users to identify and fend off DNS-based threats and should be an integral part of any organisation’s security plan.
What makes DNS a tempting attack target?
The wealth of data embedded in DNS logs is the primary reason that lures cybercriminals to DNS, who use it to exfiltrate sensitive data. Another factor is the wide attack surface that DNS provides. DNS is a distributed system containing numerous components, each presenting malicious actors with potential and unique attack vectors to exploit. In recent years, with the onset of a major global pandemic and the ensuing hybrid work models, these exploitations have only been exacerbated by the expansion of the attack surface as a result of increased cloud usage and misconfigurations.
The format in which DNS codes are typically written, i.e., plain non-encrypted texts, also makes them susceptible to interception and manipulation by threat actors. DNS spoofing attacks (see below) are carried out utilising this very weakness.
Over the years, new encryption techniques were developed to improve DNS security. This soon proved to be a double-edged sword as cybercriminals began capitalising on this extra security layer to obfuscate malicious DNS-based traffic, making DNS attacks even harder to detect than before.
Common attacks on the DNS protocol
Since its inception, DNS has been exploited by cybercriminals in a variety of ways. According to the IDC’s 2022 Global DNS Threat Report, 88% of organisations experienced a DNS attack in the previous year, with 7 attacks and a $942k damage cost on average per organisation. The same report reveals an increase in the number and size of all types of DNS-based attacks compared to 2021 and calls for a more robust DNS security approach by organisations. Common attacks targeting the DNS protocol include:
- DNS Spoofing: Also known as DNS Cache Poisoning, this is a type of cyberattack where a piece of DNS server data is altered to redirect users to fake websites. This is done by attackers sending forged DNS responses to a DNS resolver or server. These fraudulent responses contain information that maps the requested domain to a false IP address, thus directing users to malicious websites or servers.
- DNS Amplification Attack: This is a type of Distributed Denial-of-Service (DDoS) attack in which the attacker first spoofs the source IP address of the DNS query and then sends a large number of queries to open DNS resolvers, overwhelming the target with an abundance of traffic and causing network disruption.
- DNS Hijacking: Also known as DNS Redirection, it refers to a form of attack where the DNS settings of a domain name are manipulated in such a way that redirects legitimate DNS queries to a destination of the attacker’s choice.
- DNS Tunnelling: In this type of attack, malicious codes or programmes are encapsulated into DNS queries and responses to bypass firewalls and other security measures.
These major DNS attacks come in various sub-types. DNS amplification attacks, for instance, may target specific components such as physical servers, load balancers, or other network equipment, i.e., protocol attacks, or they may be directed at distinct vulnerabilities within web servers, i.e., application layer attacks.
Mitigating DNS-based threats
Regardless of their type and severity, DNS attacks can be restrained with the right security measures in place. Some common approaches to mitigating DNS-backed threats include:
- DNSSEC (DNS Security Extensions): DNSSEC is a set of security extensions that use cryptographic digital signatures to validate DNS queries before returning them to the client device, ensuring their authenticity and integrity.
- DNS Filtering: It refers to the practice of blocking access to selected websites and services deemed malicious or unwanted at the DNS level. This is typically done by comparing a DNS query with an in-built or customised set of blacklisted domains or IP addresses. If there is a match, the domain will not be resolved, and access prevented.
- Multi-Factor Authentication (MFA): It is a security measure that allows users to verify their identity using more than the traditional username-password combination. MFA is especially critical to implement in the settings of an organisation’s security solutions as it prevents networks and equipment from being compromised even if malicious actors manage to hack the associated usernames and passwords.
- Threat Intelligence Feed (TIF): A TIF is a continuous stream of up-to-date data on emerging threats that can adversely affect network security. By deploying a TIF in their armoury, organisations can promptly detect vulnerabilities and enhance their cybersecurity defences.
It is worth noting that, the above measures are most effective when applied in combination, meaning a single-faceted security approach to DNS will probably fall short of safeguarding an organisation’s infrastructure against DNS-based risks. Yet, this is easier said than done. Conventional cybersecurity solutions such as Data Loss Prevention (DLP) tools, Next-Generation Firewalls (NGFWs) and Intrusion Prevention Systems (IPSs) are inadequate at identifying and deterring most DNS-based attacks. This is because well-organised cyber-attacks are normally obfuscated and cannot be mapped to a specific IP address generating the malicious traffic. For instance, 85% of malware domains are not linked to a direct IP address. Similarly, malware created using Domain Generation Algorithms (DGAs) cannot be traced back to the corresponding IP address of their command and control (C&C) servers. In situations involving IP-less malicious traffic, the only hope to detecting and blocking the ensuing attack is through DNS log analysis.
Common DNS Security Mistakes to Avoid
DNS plays a pivotal role in the infrastructure of every digital business, underscoring the need for organisations to adhere to best practices in DNS management. Ensuring the integrity of digital operations requires a proactive approach to avoid common DNS security pitfalls:
1. Neglecting High Availability Architecture
Relying solely on a single DNS provider can render your domain susceptible to outages, attacks, or configuration errors. To bolster redundancy and resilience, it is advisable to utilise two or more DNS providers.
2. Failing to Keep DNS-related Software Up to Date
This principle extends beyond DNS to all systems. Outdated software versions tend to harbour configuration issues and vulnerabilities, making them prime targets for cybercriminals.
3. Not Using DNSSEC
DNSSEC is an essential extension of the Domain Name System. It guards against unauthorised alterations to DNS records, ensuring the authenticity of domain identities. DNSSEC also verifies the source of queries before responding, providing robust protection against attacks.
4. Permitting DoH
DNS over HTTPS, or DoH, should be restricted within enterprise networks. When DNS queries are transmitted via HTTPS, conventional DNS security mechanisms cannot inspect the traffic due to encryption. Nonetheless, there are specific use cases, primarily for internet users on public networks, where DoH may be suitable.
5. Neglecting DNS Traffic Monitoring
DNS lies at the core of your business operations and represents a critical point that requires meticulous oversight and control.
6. Failing to Implement IPS-Level DDoS Protection
Organisations often encounter difficulties when attempting to fend off DDoS attacks independently, especially in the case of high-volume attacks. It is advisable to leverage Intrusion Prevention System (IPS) providers or third-party service providers, such as Cloudflare, to effectively safeguard against these threats.
DNSSense: the all-seeing DNS Security Suite
DNSSense unlocks the true potential of the DNS protocol for threat detection and prevention. The powerful AI-driven engines of Cyber X-Ray, the unique dynamic cyber threat intelligence and domain categorisation tool created at DNSSense, is also the engine that drives the company’s two other security solutions, namely DNSEye and DNSDome. What follows is a summary of the value DNSSense’s products bring to organisations of all sizes.
DNSEye: actionable intelligence from DNS traffic
As described earlier, DNS traffic is challenging to process for threat detection and mitigation. Combining this understanding with the absolute necessity of DNS analysis for network security and integrity, it becomes evident how lack of a robust DNS security tool on an organisation’s network can pose far-reaching consequences, such as the risk of becoming a victim of data exfiltration attacks, botnet operations, and other malicious activities. DNSEye addresses these concerns by providing actionable insights through deep and comprehensive analysis of DNS logs.
Leveraging AI-based threat intelligence and machine learning algorithms, DNSEye improves overall cybersecurity operations by enabling analysts to perform detailed investigations, pinpointing individual client machines as well as rogue applications generating suspicious DNS traffic.
Why choose DNSEye?
- Unrivalled Protection for the Whole Network: DNSEye acts as the first line of defence in your network against suspicious activities. With automated data collection and correlation from various sources including DNS infrastructures, endpoints, Dynamic Host Configuration Protocol (DHCP), and directory services, DNSEye offers unparallel visibility into your DNS traffic.
- Rapid Deployment and Compatibility: DNSEye is highly scalable and can be deployed within minutes, requiring no changes to existing network structure. Compatible with all types and brands of DNS server, data is collected from multiple sources with minimal fuss.
- Comprehensive DNS Traffic Insights: DNSEye exposes DNS layer cyber-attacks, generating unique actionable reports on outbound DNS traffic. Important insights, including first-time visits and DNS traffic anomalies, help cyber security teams proactively identify and address potential threats earlier in the kill chain.
- Smart SIEM Integration: By offering smart SIEM integration, DNSEye generates real-time actionable intelligence and streamlines security operations. DNSEye enables SOC teams to effectively handle large DNS traffic volumes without increasing SIEM license costs, allowing security teams to maximise the value of their investments.
Upon detecting malicious DNS activity, DNSEye identifies threats that may have been missed by other security solutions, enabling security teams to make adjustments if necessary. As a result, DNSEye demonstrates significant added value, and ultimately enhances the overall security.
DNSDome: more than a DNS firewall
DNSDome is a comprehensive cloud-based solution that focuses on early detection and mitigation of cyber-attacks. It leverages AI-based threat intelligence to defend networks against sophisticated threats.
Simple to implement yet highly effective, DNSDome provides instant protection for networks, applications, and users against a wide range of threats including DNS tunnelling, ransomware, spam, advanced phishing, malware, and zero-day attacks.
Why choose DNSDome?
- No Agents or Installation Required: DNSDome can be deployed in just 5 minutes without changing your network topology or the need for installation or agents.
- Real-time Threat Detection: Using heuristics methods and machine learning algorithms, DNSDome detects anomalies in DNS queries and blocks tunnelling attacks in real-time before they can cause any damage.
- Industry-leading domain intelligence: Leveraging historical data and employing a contextual approach, Cyber X-Ray delivers rapid and accurate intelligence for existing and firstly-seen domains.
- Enhanced Protection for Remote Workers: With DNSDome, protection for corporate employees and resources can be easily extended to remote workers, ensuring the same level of effective security.
In summary, DNSSense’s solutions help organisations achieve maximum efficiency in terms of DNS configuration and management by providing real-time monitoring and alerting, network performance metrics, DNS resolution time tracking, historical data analysis, and easy integration with other monitoring tools, making them an indispensable part of any organisation’s security plan.
Best practices for DNS configuration and management
Proper DNS configuration and management are critical for maintaining a secure and reliable network infrastructure. The following are some guidelines that can help organisations adopt an optimal DNS security strategy:
- Strong Access Controls: Organisations should ensure that DNS management systems are only accessible to authorised individuals. MFA methods are, therefore, a must when configuring network administrative access.
- Regular Updates: DNS servers and other network components need to be updated and patched regularly to ensure the latest security fixes are in place.
- Secure Protocols: Secure DNS protocol such as (DoH) or DNS-over-TLS (DoT) should be used to encrypt DNS traffic and improve privacy.
- Redundancy and Load Balancing: Multiple DNS servers should be configured across different time zones to provide resilience and availability. Use different physical locations and network segments for each DNS server to reduce the risk of a single point of failure.
- DNS Traffic Monitoring: Implement traffic monitoring and logging mechanisms to detect anomalies or spikes in DNS requests.