What is DNS Security?
When most people use the Internet, they use domain names to specify the website that they want to visit. However, computers use IP addresses to identify different systems connected to the Internet and route traffic through the Internet. The Domain Name System (DNS) is the protocol that makes the Internet usable by allowing the use of domain names.
DNS is widely trusted by organizations, and DNS traffic is typically allowed to pass freely through network firewalls. However, it is commonly attacked and abused by cybercriminals. As a result, the security of DNS is a critical component of network security.
How DNS is Used in Attacks
DNS can be used in different ways. Some threats include attacks against the infrastructure:
- Distributed Denial of Service (DDoS): DNS infrastructure is essential to the functioning of the Internet. DDoS attacks against DNS can make websites unreachable by making the DNS servers that serve them unavailable by saturating the networks with what looks like legitimate traffic. A classic example of this is the 2016 DDoS attack against Dyn, where an army of bots hosted on Internet connected cameras caused outages to many major websites, including Amazon, Netflix, Spotify, and Twitter.
- DNS DDoS Amplification: DNS uses UDP for transport, which means that an attacker can spoof the source address of a DNS request and have the response sent to an IP address of their choosing. Additionally, DNS responses can be much larger than the corresponding requests. DDoS attackers take advantage of these factors to amplify their attacks by sending a small request to a DNS server and having a massive response transmitted to the target.
- Denial of Service (DoS) Attacks: In addition to network-based DDoS attacks, the applications that run on DNS servers can also be targeted by DoS attacks. These attacks are designed to exploit vulnerabilities in the systems that render them unable to respond to legitimate requests.
DNS can also be abused and used in cyberattacks. Examples of the abuse of DNS include:
- DNS Hijacking: DNS Hijacking refers to any attack that tricks a user into thinking they are connecting to a legitimate domain while they are actually connected to a malicious domain. This can be accomplished using a compromised or malicious DNS server or by tricking a DNS server into storing incorrect DNS data (an attack called cache poisoning).
- DNS Tunneling: As DNS is a trusted protocol, most organizations allow it to freely enter and leave their networks. Cybercriminals take advantage of DNS for data exfiltration with malware whose DNS requests contain the data being exfiltrated. Since the target DNS server is typically controlled by the owner of the target website, the attackers ensure that the data reaches a server where it can be processed by them and a response sent in the DNS response packet.
The Importance of DNS Security
DNS is an old protocol, and it was built without any integrated security. Several solutions have been developed to help secure DNS, including:
- Reputation Filtering: Like any other Internet user, most malware needs to make DNS requests to find the IP addresses of the sites that it is visiting. Organizations can block or redirect DNS requests to known malicious domains – based on threat intelligence – to stop users from visiting dangerous sites or malware from communicating with its operator.
- DNS Inspection: The use of DNS for data exfiltration (via DNS tunneling) and other malicious activities can be detected and blocked by an intrusion prevention system (IPS) integrated into a next-generation firewall (NGFW). This helps to block the abuse of DNS for malware command and control and other attacks.
- Secure the Protocol: DNSSEC is a protocol that includes authentication for DNS responses. Since the authenticated response cannot be spoofed or modified, attackers cannot use DNS to send users to malicious sites.
- Secure the Channel: DNS over TLS (DoT) and DoH (DNS over HTTPS) adds a secure layer to an insecure protocol. This ensures that the requests are encrypted and authenticated, unlike traditional DNS. By using DoH and DoT, a user can ensure the privacy of DNS responses and block eavesdropping on their DNS requests (which reveals the sites that they are visiting).
Analytics, Threat Intelligence and Threat Hunting
Monitoring your DNS traffic can be a rich source of data to your Security Operations Center (SOC) teams as they monitor and analyze your company’s security posture. In addition to monitoring firewalls and IPS systems for DNS Indicators of Compromise (IoC), infected hosts or DNS tunneling attempts, SOC teams can also be on the lookout for lookalike domains.
It can help organizations protect DNS infrastructure and detect DNS-based attacks. Next-Gen Firewalls detect malicious traffic and DNS tunneling attacks via Reputation filtering and IPS DNS Tunneling protections. In addition we can empower SOC teams to research IoCs and find look alike domains to protect against cyber threats such as those exploiting DNS in phishing attacks.