Simply put, the domain name system (DNS) makes the Internet usable for humans. It serves as the critical directory look-up function, translating text web addresses into the digital Internet addresses used by our devices to connect to websites, email and other Internet applications.
Organisations publish their web addresses in DNS so people can easily find them on the Internet. If customers can’t reach your website because DNS is down, you could suffer financial, reputational, or other forms of loss. If your DNS is inoperable, you’re invisible on the web.
Because of its criticality to the workings of the Internet, DNS may not only serve as an attack target, it may also serve as an attack vehicle — using DNS to piggyback the attack through your network, given its requisite permissiveness to flow through firewalls to and from the Internet.
Network engineers must take heed to consider DNS vulnerabilities and defensive measures to more completely secure their networks. To assess the status of DNS security concerns and mitigation strategies, BT conducted an industry survey regarding DNS security in October 2017.
Among the key findings from the survey, was that more than half of survey respondents had experienced some form of malware or ransomware attack over the past twelve months, with about fifteen percent of these indicating some form of reputation and/or financial loss. While not all malware and ransomware use DNS, over 90 per cent of malware uses DNS to make contact with the malware author’s command and control (C&C) centre over the Internet, according to a 2016 Cisco security report. In this manner, malware installed on infected devices can receive attack instructions, download malware updates, and export sensitive information gathered from within your network. Hence monitoring DNS and firewalling DNS responses can lead to the detection and prevention of malware or ransomware activities and proliferation.
In addition to such malware and ransomware infiltration, respondents indicated they had suffered denial or distributed denial of service (DoS/DDoS) attacks, reflected DDoS, domain hijacking and DNS cache poisoning. DNS cache poisoning can occur when an attacker answers a query for a given destination before the ‘real’ or authoritative server responds. It’s not quite that trivial to poison a DNS server cache, as other parameters in the response must complement the query. However, such an attack can hijack unsuspecting users to imposter websites, as can brute force domain hijacking attacks. These manipulate your or your parent zone’s DNS servers’ information.
Given these and other DNS attack vectors, we asked participants about the state of their implementation for major DNS security measures. Due to the diversity of attack vectors against DNS and other network and computing elements that use DNS, a variety of strategies are required to defend effectively. Many of these strategies also facilitate a defence-in-depth approach when used with other DNS and general network security tactics.
Over half of respondents have fully implemented the basic security measures of access control lists (ACLs), DoS/DDoS protections, query monitoring and forensics capabilities and role-based deployment to contain the breadth of an infiltration. DNS server hardening has been implemented by nearly half of survey respondents, and an additional 30 percent are implementing or plan to implement this within two years.
A little over one-quarter of respondents have fully implemented DNS firewall functionality, which is an effective approach to detecting and blocking malware attempts to contact C&C centres. DNS firewall policies enable the enforcement of policies to block such queries or to redirect query answers to connect the device to a mitigation portal for remediation. Nearly 75 per cent of respondents plan to implement a DNS firewall solution within two years, which should help in defending against this most prevalent form of DNS attack.
Less than 40 per cent of respondents support or plan to support DNS security extensions (DNSSEC) within the next two years. In fact, over 40 percent have no plans at all to implement DNSSEC.
DNSSEC provides digital signatures on DNS resolutions, enabling users to authenticate such responses, vastly diminishing the likelihood of possible domain hijacking via cache poisoning. While early implementations of DNSSEC were complex to initialise and maintain, many open source and commercial products automate most or all of the cryptographic setup and maintenance these days. We found this perception of complexity still prevails, unfortunately, as fewer than 20 per cent of respondents agreed or strongly agreed that DNSSEC signing or validation is easy to maintain.
In summary, it’s clear that IT and operations engineers and managers are concerned about DNS security and its impacts on broader network security. They realise the vulnerabilities that DNS presents, both as a critical network service and as a requisite network protocol requiring open transport throughout their networks and through network firewalls. Despite this recognition, implementation of DNS security measures is modest. Basic controls have largely been implemented by the majority, though preferably all would take such measures.
Other, more sophisticated, controls such as DNS firewalls and DNSSEC have yet to be largely implemented by most, despite acknowledged value in securing networks. Perceptions of complexity for DNSSEC, and uncertainty regarding DNS firewall configuration and maintenance have inhibited enthusiastic deployment as yet.