Acting as the address book of the internet, the Domain Name System (DNS), is a mission-critical part of infrastructure which no organisation can function without.
This undisputed importance has made it a popular attack vector for many cyber-criminals. DNS-based threats are then aggravated by inherent vulnerabilities which tend to be inadequately protected by traditional cybersecurity solutions.
It’s a fact of IT life that when DNS services are compromised, catastrophic system and network failure can ensue. Many cyber criminals will target external DNS servers - those that are Internet-facing, such as applications, websites and email clients - using DNS-based Distributed Denial of Service (DDoS) attacks or
DNS reflection and amplification, which often result in reduced performance and downtime.
Solutions for securing DNS services are often short-sighted in their response to the threat, focusing solely on what’s trying to make its way in. But as when securing other aspects of their networks and software, organisations must understand the limitations of their external defences, like firewalls, and work to secure against the threats that lie within.
Wise to these limited security solutions, many cyber criminals are now manoeuvring around these external defences and launching targeted attacks from within, at great risk to both an organisation’s infrastructure and its data.
For example, a targeted Advanced Persistent Threat (APT) or an endpoint infected with malware can use DNS to communicate with command-and-control (C&C) servers. The threat may even come from within the organisation, with a malicious agent using techniques like embedding data in DNS queries or using DNS tunnelling techniques to steal sensitive information.
The threat from within
Organisations don’t have the luxury of turning a blind eye to the internal threats posed to DNS. Whilst traditional external security may lull an organisation into a false sense of security, the threat on internal DNS is growing and the cost of such negligence can be great. Internal infrastructure attacks can result in business downtime, lower productivity, and increased operational expenses.
DDoS attacks on internal DNS are on the up, and like their external equivalent, these overload the servers, often reducing their performance to the point of failure. Recently, for instance, a healthcare organisation suffered a flood attack on its internal DNS servers of a million queries per second, and another DDoS attack launched against a large computer storage company’s internal DNS resulted in its employees being sent home for four hours.
Attacks on internal DNS are often stealthier and more sophisticated than their external counterparts, exhausting resources on recursive servers - the part providing information to web clients. Whether a simple NXDOMAIN attack or a sophisticated DDoS attack coupled with chain reactions, botnets and misbehaving domains, cybercriminals are employing advanced techniques which results as a resource exhaustion, cache saturation and outbound bandwidth congestion.
Look at the full picture
Whilst inherently vulnerable, it’s not all doom and gloom for DNS. Its unique position within the network actually means that DNS can be employed as a means to protect against and respond to attacks.
An effective internal DNS security solution is able to prevent APTs and malware from exploiting DNS, prevent data exfiltration, and protect it from aggressive attacks. All this, without needing to make changes to the organisation’s network architecture.
When harnessing an up-to-date threat intelligence feed of known malicious domains and IP addresses, an internal DNS security solution is able to continuously monitor for, detect and drop DNS attacks, whether cache poisoning, DNS DDoS or DNS tunnelling.
Employing DNS response policy zones (RPZs) on internal DNS to run concurrently with threat intelligence, for example, allows a DNS appliance to intercept queries associated with known malware and APTs. By disrupting communication with external C&C servers and botnets in this way, the DNS is able to effectively choke the threat.
The solution can also mitigate the loss of potentially sensitive data by detecting and preventing its exfiltration via DNS tunnelling. Establishing query thresholds allows the DNS to detect and drop large UDP/TCP queries and responses - especially those repeated in a given timeframe - effectively mitigating any DNS tunnelling attempts.
This then allows the solution to disconnect C&C servers, preventing them from exfiltrating data via the standard network protocols, whilst reducing infections and preventing malware from breeding inside the network at the same time.
With its history of inadequate protection, it is of no surprise that DNS has become a highly popular target for attacks. But with the threat landscape increasing, companies can no longer leave this mission critical piece of network architecture vulnerable.
Organisations must look beyond what’s trying to get into their network and consider all the attacks vectors - both from inside and outside the DNS. It’s time to harness the power of DNS and convert it from the network’s weakness into its greatest security strength.