Often the Real Vulnerability, When it Comes to DNS Security and Stability, is Ignorance. Here are Five DNS Threats You Should Protect Against.
The Domain Name System (DNS) is pervasive. Collectively, we use it billions of times a day, often without even knowing that it exists. For enterprises, it's their digital identity as well as a critical component of their security architecture. Like all technology, though, it is susceptible to threats. Too often, the always-on, ubiquitous nature of DNS lends itself to being overlooked. Today, let’s look at five common threats that leverage DNS, along with suggested best-practice, risk-mitigation strategies.
The practice of registering a domain name that is confusingly similar to an existing popular brand – typosquatting -- is often considered a problem for trademark attorneys. However, as recent research has demonstrated, it can present a profound risk to the confidentiality of corporate secrets and should be increasingly thought of as a security problem. Typosquatting is not only about individuals opportunistically registering confusingly similar domains in the hope of benefiting from misdirected Web traffic; it can also be used to steal information.
In early September, researchers from the Godai Group said that they had successfully obtained 120,000 corporate emails by simply typosquatting certain domains and setting up catch-all email accounts. Godai registered domains following the format “usexample.com” to steal mail destined for “email@example.com”. If an email was incorrectly addressed, missing the dot between “@us” and “example”, it would arrive in the researchers' account instead. The research discovered that attackers could steal passwords, sales information and other trade secrets, and hypothesized that a more sophisticated attack could obtain information from both the email sender and recipient.
Remember to monitor newly registered domain names for names that are confusingly similar to your brand. Information about new domain registrations is often freely available from registries, and there are many companies that offer dedicated digital brand management services to simplify this searching process.
Distributed denial of service attacks (DDoS) are not a threat specific to DNS. However, the DNS is particularly vulnerable to such attacks because it represents a logical choke point on the network, all too often overlooked when organizations are capacity-planning their infrastructure. No matter how over-provisioned a website may be, if the DNS infrastructure cannot handle the number of incoming requests it receives, the performance of the site will be degraded or disabled.
To reduce the risk of falling victim to a DDoS attack against your domain names, consider engaging a managed DNS provider that uses a widely distributed, highly redundant network of Anycast servers to handle DNS traffic. (Disclosure: my employer, Afilias, provides managed DNS services.) Using Anycast to mirror your DNS servers can greatly improve performance as well as balance the load during a DDoS attack. If you would rather build your own managed DNS service, then be sure to leverage the power of Anycast.
3. DNS Amplification Attacks
DNS amplification is a tactic used in DDoS attacks that leverages DNS servers deployed in insecure “recursive” configurations. Recursion is a feature of DNS that allows for domain name resolution to be handed off to more robust name servers. In itself, it's a useful, necessary feature commonly deployed within an enterprise environment. But criminals discovered several years ago that "open" recursive DNS servers, i.e., a recursive name server for which access is neither controlled nor restricted, could be exploited to increase the strength of their DDoS attacks.
By spoofing the source address on DNS queries to match that of the intended victim, attackers found that every spurious packet sent from one of their bots could be amplified if sent to a recursive name server. The response sent to the victim would be many dozens of times larger than the original query. This could result in a botnet wielding many times the firepower, causing much more severely degraded performance at its victim's site. Today, running a recursive DNS server that is open to the entire Internet is no longer considered acceptable security practice. Fortunately, securing your DNS servers against this kind of attack is usually achieved with a simple configuration change.
4. Registrar Hijacking
The majority of domain names are registered via a registrar company, and these represent single points of failure. If an attacker can compromise your account with your chosen registrar, they gain control over your domain name, allowing them to point it to the servers of their choice, including name servers, Web servers, email servers, etc. Worse still, the domain could be transferred to a new owner or to an “offshore” registrar, making domain name recovery a complex matter.
Such attacks may be directed at the registrar in a blanket fashion, as was the case in the recent attack against UK registrar NetNames, which claimed several high-profile victims. Others may target your account specifically, either through an attack on your password or, more commonly, a social engineering attack against the registrar's technical support operatives.
To reduce the risk of hijacking, choose a registrar that offers additional security precautions, such as multi-factor authentication or account managers with whom you can build a personal relationship. Many registrars will offer premium services to high-value clients that can substantially mitigate the risk of losing control of your account to a hijacker. These come at a cost, but it's a small price to pay to ensure that your domain name remains in your control.
5. Cache poisoning
Whenever you send an email or visit a website, your computer is probably using DNS data that has been cached somewhere on the network, such as with your ISP. This improves the performance of the Internet, and reduces the load on the various registries that provide authoritative DNS responses. However, these caches can sometimes be vulnerable to "poisoning" attacks.
Attackers sometimes exploit vulnerabilities or poor configuration choices in DNS servers -- or in cases such as the infamous Kaminsky Bug, vulnerabilities in the DNS protocol itself -- to inject fraudulent addressing information into caches. Users accessing the cache to visit the targeted site would find themselves instead at a server controlled by the attacker. If the attacker's site were a close replica of the target's official site, there would be no way for the user to tell that they were being phished. As far as their browser would know, it would be at the official site.
As well as deploying name servers in secure configurations, the solution to this problem is a protocol known as DNSSEC, which is being rolled out across registries and registrars worldwide today. Once DNSSEC adoption becomes universal, adding a DNSSEC digital signature to a domain name will mean that browsers and ISPs will be able to validate that DNS information they receive is authentic, rendering most cache poisoning attacks obsolete. Organizations concerned about the integrity of their domain names should ask their registrars to support DNSSEC today.
Solutions exist for these DNS-based attacks. Some solutions are simple, while others are more complex. But often the real vulnerability, when it comes to DNS security and stability, is ignorance.
Related Reading: The Top Five Worst DNS Security Incidents
Related Reading: Trouble Ahead - The Implementation Challenges for DNSSEC
Related Reading: Deploying DNSSEC - Four Ways to Prepare Your Enterprise for DNSSEC
Related Reading: Five Strategies for Flawless DNSSEC Key Management and Rollover
Related Reading: The Missing Ingredients for DNSSEC Success
Related Reading: Do Recent BGP Anomalies Shed a Light on What's to Come?