The Domain Name System (DNS) is more than twenty years old now and has largely done a great job. For the majority of that period, DNS has provided an essential, trusted, mostly invisible protocol that ensured users could find the web page they needed. That might, however, be about to change.
In the past year, the COVID-19 pandemic has forced many millions of employees to work remotely for the first time. Alongside other security challenges, this has led to a rapid increase in the volume of DNS queries as more and more workers seek to access corporate systems via home and public WiFi networks.
This, in turn, has led to a surge in the number of cyberattacks targeting DNS. Some of these attacks use “traditional” methods such as tunneling. Others have relied on newly-discovered vulnerabilities such as the SIGRed vulnerability in Windows DNS that was in place for seventeen years before being discovered in July 2020. Still others, such as the SolarWinds attack, have made use of social engineering techniques alongside more “technical” methods.
Overall, we are witnessing the rise of a new threat blend when it comes to DNS–one in which previously novel attacks have become mainstream. In this blog, we’ll look at what this means for the cybersecurity landscape.
The “Standard” DNS Attack
Up until quite recently, DNS was regarded as fairly secure. This was largely because the system was thought to be susceptible to a limited number of attack vectors. For more than 20 years, there has been one prominent form of attack against DNS, known as “tunneling.”
Using this method, hackers hide malicious code inside DNS queries. Since these queries are generally allowed to pass through firewalls and other security cordons without issue, malware can be injected into the heart of a corporate IT system. This can then be used to control compromised computers within an organization, activate further instances of malware, or siphon away sensitive (and potentially lucrative) information.
This type of attack has become extremely common–with more than 2.2 trillion DNS queries processed each day to guide web traffic where it needs to go, there is a large target for hackers to aim at. And even though reasonably secure countermeasures have been developed, it continues to serve as a threat for unprepared organizations. The OilRig threat group, for example, has made widespread use of DNS tunneling for command-and-control communication with infected hosts and has generated millions of dollars while doing so.
Alongside this ongoing threat there is another factor–the popularization of hacking, and of DNS tunneling in particular. DNS tunneling kits are now easily available on hacker forums. There are even how-to videos on YouTube that show aspiring criminals how to perform their own attacks.
A Changing Environment
Into this environment rolled COVID-19 and widespread work-from-home (WFH) orders. The pandemic has radically changed the cybersecurity landscape around the world, both in terms of the kind of attacks we are seeing and the scale. According to Neustar’s “Online Traffic and Cyber Attacks During COVID-19” report, recently released, there was a dramatic escalation of the number of attacks and their severity across virtually every measurable metric from March to mid-May 2020. Of particular note, however, was a spike in DNS-related attacks.
At one level, this escalation is hardly surprising. With so many more employees working from home, DNS requests spiked during the same period. In one way, this increase in the number of attacks merely represents the fact that WFH offered a bigger target for hackers to take advantage of. That’s not the whole story, though. Alongside the increase in the raw number of DNS attacks, DNS-based threat vectors that were previously thought of as a niche concern have also increased as a proportion of the whole.
These attacks have generally been of three types, known as DNS hijacking, DNS spoofing, or DNS cache poisoning. All three attacks operate in much the same way–they access a DNS table and change the information it contains. This means that when a user sends a DNS request, they are directed to a site other than the one they hoped for.
This kind of DNS re-writing has also been around for decades, and even has some (debatably) legitimate uses–it is used by some corporations and governments to “legitimately” censor the internet, for example. However, in recent attacks users have been redirected to websites that host malware. These sites attempt to remotely access their personal information or that trick users into sharing it. With so many more DNS requests occurring at the moment, and with so many workers still unfamiliar with how remote access is supposed to work, these attacks have been tremendously successful.
It’s one thing to notice a trend, of course, and quite another to stop it. Nevertheless, it is clear that swift action is required to combat the rise of DNS-based attacks, and in particular those that are novel enough to be unfamiliar to the average user.
Unfortunately, for cybersecurity experts this might be a difficult attack vector to shut down. DNS cache poisoning, in particular, relies on tricking employees to accept changes to their local DNS table and is usually executed via a phishing attack. For this reason, the best way to combat DNS attacks might not be a detailed look at the anatomy of a DNS hijacking (though that will likely help!), but instead to give employees training on how to prevent spearphishing.
This extra training should always be used alongside a reliable DNS protection system. There are various components to a typical DNS protection system, each designed to protect you and your customers against different threats. Implementing DNSSEC is a good first step when it comes to protecting your own domains, because this can stop criminals from tricking users into using a site that looks like yours but is designed to collect personal information.
Another step in keeping your systems secure is to use a secure DNS provider. These companies take care to verify that their DNS tables are accurate, and this can prevent a range of different attack vectors. There are plenty of options when it comes to choosing a provider—Quad 9 and Zscaler to name a few—but all aim to give you the same thing: added protection against novel forms of DNS attack.
With the right systems in place, DNS is much more than a directory of IP addresses; it’s a way for organizations to proactively address attack activities and stop the vast majority of malware, viruses, and malicious content before critical systems are impacted. That’s why it’s more important than ever to find reliable sources for DNS logging, and to ensure the security of your internal DNS infrastructure.