Skip to main content

Protecting the “Internet’s address book”: mitigating against DNS attacks

(Image credit: Shutterstock / Khakimullin Aleksandr)

The domain name system (DNS) performs the fundamental job of keeping the Internet running by mapping readable domain names to IP addresses. Earning its title as the “Internet’s address book”, it effectively processes more than hundreds of trillions of DNS queries (or more!) a day to guide web traffic in the right direction. 

Given its key role in making today’s online services run smoothly, it is unsurprising that DNS is an increasingly appealing target for malicious actors. With digital services being relied upon more than ever before amid ongoing national lockdowns, there are growing concerns around DNS security. 

In fact, recent research from the Neustar International Security Council (NISC) found that three in five organizations had fallen victim to a DNS attack in the last 12 months, with Neustar’s Security Operations Centre (SOC) also highlighting a similar trend. Even though many boosted their defenses to prepare for heightened attack levels during the peak retail period last year, over a quarter said they still have reservations around their ability to respond to DNS attacks. 

These concerns can largely be attributed to the constantly evolving and expanding DNS threat landscape, including the wide range of attacks that exist today – domain hijacking, DNS spoofing/cache poisoning and DNS tunneling. As such, it is vital that organizations take proactive steps to build awareness of, and protect themselves against, the different domain-related attacks.

An attractive target  

As DDoS and other ‘brute force’ attacks rightfully continue to grab the headlines, businesses have been guilty of overlooking DNS security in the past. Just last year, for example, a vulnerability was discovered in Windows DNS, which had existed for 17 years.

Understanding how hackers can use vulnerabilities like these to wreak havoc on an organization’s security posture is a critical first step. 

DNS servers respond with answers to requests for IP addresses and domain names with anyone authorized to query them. Not only that, DNS query/answer processes have the ability to share small amounts of data between systems. Cybercriminals capitalize on these qualities to use tactics such as DNS tunneling to execute malware commands and steal data.

DNS threats: a closer look 

From hijacking to tunneling, there are a few common ways a hacker will look to target an organization’s DNS. When successful, these attacks can have damaging repercussions to a brand’s online presence and reputation. 

DNS hijacking  

DNS hijacking is a good example of how severe DNS attacks can get. According to recent data from the NISC, it’s the threat that the cybersecurity community is most concerned about. This is most likely because it can result in hackers taking control of a company’s domain and using it to host malware or launch phishing campaigns that evade spam filters and other reputational protections. In a worst-case scenario, this type of attack can even lead to unauthorized transactions that can decimate an organization’s financial status, their production capability, and even lead to an organization losing control of its domain altogether. 

The steep rise in DNS queries from remote employees has exacerbated this issue. Whereas business networks are generally secure, home networks can leave less tech-savvy employees open to DNS exploits. As a result, hackers can gain access to unsecured home routers and alter DNS settings, redirecting unsuspecting users to malicious sites. Believing they are on a trusted website, the victim can then give away sensitive information, or even allow a cybercriminal to remotely access their company’s infrastructure. 

There are a number of simpler techniques used to achieve the same end goal as DNS hijacking. DNS spoofing and cache poisoning, for instance, are frequently used to redirect traffic to bad websites. Unlike hijacking, however, hackers will then overwrite local DNS cache values or records with fake ones.

DNS tunneling 

Another way an attacker can breach a DNS is through tunneling. This method is perhaps the most persistent of all DNS threats, having been around for two decades. It consists of hackers hiding data within DNS queries sent to a server. These are able to evade firewalls and other security measures that block malicious traffic given that DNS requests are generally allowed to pass through. For this reason, it is an easier tactic for gaining unauthorized access to internal systems. 

There are a number of ways attackers use DNS tunnels to infiltrate organizations. Command-and-control activities are one example and involve attackers implanting malware, such as remote access Trojans, into a device and using it to run commands. DNS tunnels can also be used for data exfiltration, whereby bad actors encode a company’s information into a large number of DNS responses. More often than not, this technique flies under the radar of an organization’s protective measures.

Unfortunately, DNS tunneling is a growing trend, mainly because it’s so accessible. tunneling toolkits are widely available in hacker forums and on YouTube, meaning anyone with a computer and an Internet connection can execute it. However, it is not just beginners using the technique, with sophisticated groups also specialize in tunneling. The OilRig threat group, for instance, uses it for command-and-control communications with infected hosts, infiltrating more than 90 organizations worldwide already.

Guarding against DNS attacks 

Despite DNS threats being on the rise, there are a few key ways security teams can protect their businesses. Frequent DNS audits and monitoring are a necessity, alongside a deep understanding of all DNS traffic and activity. 

Thorough monitoring is also the last line of defense for an organization, and DNS data can be used to provide valuable inform about attacks. This goes beyond just protecting against DNS attacks. Given that DNS protocols are often the first vector a cybercriminal will attack before attempting to breach a system, spotting that a hacker has interacted with malware through a DNS backdoor can help uncover suspicious activity. With these DNS insights security teams can pinpoint what has been compromised and address the issue quicker. 

Crucially, DNS data can provide organizations with timely, actionable and important threat insights, allowing them to not only protect against DNS-related threats, but also mitigate the vast majority of malware, viruses and suspicious content before critical systems are infiltrated.

Rodney Joffe, SVP and Fellow, Neustar

Rodney Joffe
Rodney Joffe, SVP & Fellow, Neustar.