Home Dan Williams Protecting Your Organization from DNS Vulnerabilities

Protecting Your Organization from DNS Vulnerabilities

Protecting Your Organization from DNS Vulnerabilities
0

By Dan Williams
Contributor, InCyberDefense

As most of us are aware, the Domain Name Service (DNS) is the phonebook of the internet. Without the public servers that provide DNS records, users would have to memorize numerical Internet Protocol (IP) addresses rather than a simple website name.

For example, imagine that every time you wanted to read an article on InCyberDefense, you had to type “192.124.249.57” into your web browser instead of the name. While this IP address is almost the length of a U.S. phone number, that is an Internet Protocol Version 4 (IPv4) address.

But an IPv6 address looks more like this: “0123:4567:89ab:cdef:4567:89abcdef.” The difference between the two is that IPv6 was created to address the shortage of IP addresses available in the IPv4 space, equaling 4,294,967,296 (232).

Available Public IP Addresses Have Shrunk Over Time

Over the years, internet connectivity has become more prevalent. As a result, the number of public IP addresses available began to shrink, which is known as “IP address exhaustion.”

Get started on your cybersecurity degree at American Military University.

All of those smart devices that we have come to rely on, collectively known as the “Internet of Things” (IoT), have consumed a large number of IPv4 addresses and increased the need to adopt longer IPv6 addresses. Having much longer IP addresses would make DNS even more important in terms of convenience.

If this problem seems like a major issue for humans, don’t think it’s any easier for machines. Without the ability to assign a name through DNS, dynamic IP addresses such as those addresses associated with ephemeral cloud resources would be a moving target of guesswork that would be impossible to track manually.

Based on these public DNS records, typing “incyberdefense.com” into your web browser will always follow a magic trail of breadcrumbs to the IP address currently hosting its website, should that IP address ever change.

It’s easy to see why DNS is considered critical infrastructure. Without it, internet operations as a whole would come to a grinding halt. Without a sense of how to secure this less popular service, this critical infrastructure element continues to remain a prime target for threat actors with hostile agendas. So why exactly does DNS represent an overlooked yet crucial piece to a solid cybersecurity strategy?

Inherent Vulnerabilities with DNS

In order to offer a high degree of reliability, most fundamental network building blocks were not created with security in mind as a means of reducing friction for implementation. For example, in some cases the appropriate IP or Media Access Control (MAC) address (or nothing at all) is the sole requirement for device-level identification on a network to reduce the burden of asset tracking and configuration on administrators.

In common spoofing attacks where the IP or MAC address of a device can be impersonated, a threat actor can be granted access as though the actor was a legitimate system by using known and trusted addresses. Similarly, DNS records serve a relatively elementary purpose from a functionality standpoint, which means they are just as easy to exploit.

An administrator may not understand the concept of recursive DNS queries and the threats they introduce into the equation, leaving the infrastructure prone to weaknesses in DNS. There are a range of vulnerabilities associated with DNS, involving the Confidentiality-Integrity-Availability (CIA) triad.

Confidentiality

One major issue for DNS as a network protocol is its lack of popularity as a threat vector for organizations and the susceptibility for what is known as “DNS tunneling.”. In a world where there are infinite considerations to take into account when one is defending against threats, something like the DNS protocol may not seem to be a broad attack surface.

The reality is this perception leaves DNS-based threats as a low priority when one is threat modeling and conducting remediation planning. The use of a technique known as encapsulation is how the various layers of the Seven Layer OSI Reference Model essentially “wrap” the data that is bound for a lower layer, so it can be transported between systems over physical media (copper wires, fiber optics or radio waves). Essentially, DNS tunneling facilitates data exfiltration using the concept of encapsulation.

Since most organizations do not have a strategy to mitigate risks associated with DNS, this protocol is used to wrap sensitive data on a compromised system as a DNS packet destined for a DNS resolving host. That DNS resolving host can be a malicious host set up to collect the inbound data in DNS packets without being detected.

Integrity

By default, DNS requests provide no mechanism for authenticity. When a domain name is resolved into an IP address, the information being returned cannot be verified as being legitimate. Should a threat actor be able to compromise any link between a system attempting to resolve an IP address and the destination, this situation creates an opportunity for man-in-the-middle attacks.

“DNS cache poisoning” occurs when a compromised host has its local DNS cache altered to resolve names to bogus IP addresses. Falsified DNS resolution requests allow a threat actor to redirect a system’s queries to resolve to a malicious host that may even be designed to look like a legitimate website. For example, should users interact with one of these websites and enter credentials into what they think is their bank’s website, threat actors will use these stolen credentials to hijack victims’ bank accounts.

This type of attack can be accomplished without the user knowing of it, especially if the man-in-the-middle attack is in turn forwarding the information to the bank’s actual website and allowing a user to complete a task with no knowledge of the attacker.

Availability

As a critical infrastructure, attacks on primary DNS servers on the public internet mean that the loss of this service on a large enough scale would cause many integral communications and operations to cease.

For instance, if hospitals could not access websites for their providers, financial institutions could not complete transactions and law enforcement suddenly lost the ability to access offender databases, it would not take long for us to start feeling the effects as a society. Distributed Denial of Service (DDoS) attacks on DNS root name servers have happened in the past, causing major disruptions and confusion among users. There were also complications for different types of communications, including web applications to data centers.

Managing DNS Risk

To reduce the likelihood of a DDoS attack on public DNS servers, it is necessary to consider the vulnerability with the infrastructure providing the service, not the protocol itself. So when organizations hosting their own DNS servers internally for the sake of efficiency or systems with a local DNS cache become compromised, there should be a focus on preventing protocol-based attacks, not leveraging more modern hardware and techniques to handle DDoS attacks.

Get started on your cybersecurity degree at American Military University.

Fortunately, there are several options for dealing with the threats to which DNS remains vulnerable by default. When addressing the problem of data exfiltration through DNS tunneling, various network solutions such as Next Generation Firewalls exist. These firewalls support Deep Packet Inspection (DPI), where rulesets can be built to block network traffic potentially attempting to nest sensitive data in improvised DNS query responses.

If convincing your leadership that these appliances are necessary to support a good security posture proves to be difficult, conventional firewalls can still be used to mitigate the risk with DNS. Rulesets that drop malformed DNS packets, protocols destined for DNS’s network port and DNS ‘ANY’   requests can help reduce this particular threat vector.

When the question of the authenticity of DNS requests stands to threaten the integrity of responses, the Internet Engineering Task Force has provided an effective answer. Domain Name System Security Extensions (DNSSEC) leverages the benefits of digital signatures associated with the Public Key Infrastructure (PKI) to provide a degree of integrity to DNS requests.

By validating the digital signature associated with a request, it is easier to determine if the DNS query is interacting with a legitimate DNS server.

A much more sophisticated but effective implementation using Hardware Security Modules (HSMs) on servers to facilitate DNSSEC is also gaining popularity with public DNS servers. In addition, an open-source project known as OpenDNSSEC grants larger organizations with geographically disparate network segments the ability to enforce this standard.

If implementing DNSSEC seems too difficult of a first step for your organization, there is still hope. At the endpoint, developers have created in-browser technologies to contend with the difficult concepts of securing DNS. Firefox has led a major initiative to encrypt the DNS protocol over secure connections using the HTTPS protocol (responsible for the little green lock in your browser’s address bar).

Plug-ins for web browsers also offer a degree of DNS security. For instance, there is the DNSSEC plug-in that allows users to verify whether or not the resources supporting the website they are visiting is DNSSEC-compliant or not. Within your organization’s network, a server known as a DNS sinkhole can be installed. It filters outbound network packets and blocks the ones that are destined for known malicious domains, providing a moderate degree of prevention.

This security control does not require millions of dollars and years of cybersecurity engineering experience to implement, thanks to the PiHole project. It is an open-source DNS sinkhole with additional functionality such as ad-blocking and offers an excellent set of capabilities for organizations as well as individuals who wish to manage this aspect of network traffic.

Solving the Security Problems with DNS

For a protocol that doesn’t get a second thought aside from the convenience it offers when surfing the web, it is easy to see that there are just as many solutions as there are vulnerabilities with DNS. Given all these variables, the complexities of implementing an effective mitigation strategy while considering the seemingly endless list of potential threats associated with DNS can seem discouraging.

Rather than ignore the problem, finding a solution can be a much easier task by conducting threat modeling and evaluating cost-effective countermeasures for your organization.

Imagine that your organization is a remote work, cloud-based software development company that offers Software as a Service (SaaS) and does not have an on-premises infrastructure with thousands of users sending millions of DNS requests while surfing the web. Obviously, a firewall appliance and stringent enforcement of rulesets is not the right solution.

Getting away with in-browser solutions and implementing a very strong endpoint security policy means you can avoid certain risks altogether, due to their irrelevancy. But if you are a mature organization with several networks to manage and do not currently have the budget to address every security concern, some of the open-source solutions and a one-problem-at-a-time attack surface reduction plan is better than risking a massive data breach that leaves your organization paying a high price financially and in loss of customer trust.

Get started on your cybersecurity degree at American Military University.

Comments

comments

tags: