Domain name system (DNS) technology has always been an essential part of internet communications. As DNS exploits evolve, however, attacks are getting more potent and sophisticated. Counterattack methods have been slow to neutralize the harm that DNS attacks can do. But now, DNSSEC (a new suite of security software extensions), promises to improve DNS security by proving that no one has tampered with query results.
An Unlucky Combination
How many times have you sat down, typed in an internet address, and hit ENTER? With hardly a thought on your part, you’re looking at your destination in just a fraction of a second. The (usual) ease of this task depends on DNS.
The DNS protocol transforms URLs into IP addresses. Changing data that humans understand into something that computers can use makes DNS an essential part of IT and business operations. Without domain name services, humans can’t access websites.
Unfortunately, DNS is vulnerable to many types of attacks. DNS becomes a prime target for cyberattackers, who successfully deploy DNS-based exploits against an organization’s IT infrastructure. However, why does DNS take a beating from bad actors, near and far?
Why DNS Severs Are So Easy to Hack
There are several reasons why DNS technology is vulnerable to attack:
- DNS infrastructure gets little attention from security team members. As a result, DNS software seldom gets updated. As DNS-based cyberattacks continue to evolve, dated DNS software is no match against sophisticated attacks
- There’s no way to distinguish good and bad addresses. DNS infrastructure can’t evaluate whether query IP addresses are legitimate or harmful. Bad actors exploit unprotected infrastructures by designing attacks that use false queries and responses.
- It’s easy for hackers to penetrate DNS infrastructure. Many firewalls don’t inspect DNS server ports (this is where queries are made). This weakness gives anyone entry into DNS services.
- DNS services provide cover for hackers. To maintain high-speed performance, DNS infrastructure uses a stateless protocol. This design approach makes it attractive to hackers, who launch attacks on DNS servers as they hide their identity.
Security countermeasures have evolved to prevent abuse of DNS traffic and command and control functions. However, DNS-based cyberattacks continue to evolve and often outmatch software security capabilities. But how did they evolve, and what are the consequences to modern business and IT infrastructures?
Cyber Mayhem, the Next Generation
Although DNS servers have been around for almost 40 years, many of us first noticed serious damage that DNS attacks could do less than 10 years ago. That was October 2016, when the Dyn cyberattack occurred. This mega-exploit consisted of three distributed denial of service (DDoS) attacks focused on system operated Dyn, a New Hampshire-based DNS provider. Based on the Mirai botnet, the attack put private and government internet services and platforms in Europe and North America out of commission for about 11 hours.
That was the headline-grabbing event, but companies and government agencies have had to fight off other DNS-related exploits, such as DNS amplification, reflection, and poisoning attacks.
Today’s Grim Reality
Times change, and so has the new breed of next-generation DNS attacks. The focus has changed from bot-mediated command and control tactics to high-speed domain switching. Here are some examples.
- DNS tunneling. Attackers route queries to a tunneling program, which operates exploit command and control functions. From their location in the tunnel, hackers remove stored data or execute other malicious exploits.
- Domain generation algorithms. These algorithms enable malware to generate a domain list of locations, which provide instructions to and receives information from the malware. The goal: switch domains quickly, before security software and specialists can take down malicious domains.
- Fast flux attacks. Attackers set up several IP addresses per malicious domain name and change addresses in quick succession to avoid IP controls. This tactic makes it difficult for threat hunters to find the address locations.
- Malicious newly registered domains. NRDs are domains that have been registered during the past 33 days. Attackers often create slight variations of real domains to trick users to click them. Malicious NRDs are usually hard to detect because they stay active only briefly.
If you’re thinking that you’ll need heavy firepower to fill the security gaps of DNS infrastructure, you’re right.
Aging DNS Services Need Advanced Protection
The Domain Name System Security Extensions (DNSSEC) is a set of protocol security specifications designed to do just that—provide extra power to DNS security countermeasures. By adding encrypted signatures to existing DNS records. DNSSEC protects applications that use DNS by blocking acceptance of manipulated or forged DNS data.
When you look for modern DNS security solutions, put DNSSEC on the top of this list of security capabilities:
- Add machine learning to your toolkit. You need automation to overcome automated attacks. So, use algorithms to detect, analyze, and predict DNS-based threats.
- Inspect DNS traffic inline. Monitor and analyze DNS traffic with high-volume, high-speed data handling methods.
- Scale up to address advanced DNS exploits. Protect your IT infrastructure against advanced DNS threats by using high-speed, high-volume data analytics, which work well in cloud-based environments.
- Consume high-quality data. Recognize attacks and maintain a low false-positive rate by using large volumes of real-world threat data.
News about DNS security is a very mixed bag. Nevertheless, greater attention to DNS infrastructure and DNSSEC capabilities might provide the shark repellant we need to keep hackers at bay.
Follow Techrado for more!