It's easy to forget about DNS protection because devices use the DNS (Domain Name System) transparently. Each time someone connected to your organization's network inputs a new human-readable web address into a browser, their device will send a query to a DNS resolver, which converts it to a machine-readable IP address.
Why DNS Security?
DNS protocol wasn't originally designed with security in mind. This means that anyone able to monitor data packets on a user's network could read DNS queries, and so build up an idea of their browsing habits and other online activities.
Regular, unencrypted DNS is vulnerable to several attacks. Since virtually every connected device needs to use DNS to go online, this has serious implications for your organization.
Common DNS attacks
Regular, unencrypted DNS can be exploited by cybercriminals and other bad actors. Some common threats include:
Cybercriminals can intercept unencrypted communications between an internet user and a legitimate DNS server, redirecting their queries to the hackers' own 'rogue' DNS server. When a user tries to access a legitimate website such as that of your company, bad actors can then try to return the IP address of their own site. This attack would almost certainly display an error in browsers due to an invalid SSL Certificate, so users would receive a warning that their connection is compromised.
In August 2013, the New York Times fell victim to just such an attack by the 'Syrian Electronic Army', who targeted their domain registrar and changed the DNS records to point to a domain they controlled.
DNS Cache Poisoning
Any IT pro knows that DNS resolvers store a list or 'cache' of IP addresses for previously visited websites.
Attackers can poison DNS caches by impersonating DNS nameservers, making a request to a DNS resolver, and then forging the reply when the DNS resolver tries to query a legitimate nameserver. The DNS Resolver then accepts the fake response and stores the IP address for the hackers' website in its cache.
In April 2018, users of 'Myetherwallet', the web's most popular online Ethereum cryptocurrency wallet, fell victim to such an attack. Hackers had targeted an ISP to reroute traffic via Amazon’s Route 53 DNS service. Instead of seeing their real web wallet, users were shown a fake 'phishing' website that harvested their login credentials.
DNS Amplification Attack
In this attack, the attacker sends a large number of DNS queries with a spoofed source IP address to open DNS resolvers. The resolvers, thinking the queries are legitimate, respond to the spoofed IP address with much larger responses, leading to a significant 'amplification' of the data sent to the target. This overwhelms the target's network.
The 2016 Mirai botnet attack involved a massive DNS amplification attack that targeted Dyn, a major DNS service provider. The attackers used the Mirai botnet to launch a distributed attack, flooding Dyn's servers with an overwhelming number of DNS queries. As a result, several high-profile websites including Twitter, Reddit, Netflix, and GitHub, experienced extensive outages.
Employing DNS Protection
Even if your organization's chosen DNS service hasn't been targeted by hackers so far, the above examples show that if your services use regular, unencrypted DNS you're running a huge risk.
It's only too easy for bad actors to monitor users' browsing habits and/or redirect them to dangerous domains. This is because traditional 'legacy' DNS is unencrypted and has no mechanisms to authenticate requests.
If you're serious about your organization's online security, your DNS Service's Protection kit should include:
DNSSEC (Domain Name System Security Extensions) uses digital signatures based on public key cryptography. The DNS data is signed by the owner of the data. The advantage of using digital signatures to authenticate the data is that it's almost impossible to forge without compromising the data source itself.
Verifying DNS records prevents hackers from impersonating a name server to redirect users to their own malicious domains.
Secure DNS Protocols
Protocols such as DNS-over-HTTPS (DoH) and DNS-over-TLS (DoT) encrypt DNS queries. The mechanism by which they do this varies by protocol but the end result is that it's much harder for bad actors to monitor users' browsing habits or redirect them to harmful sites.
This can make life more difficult for network administrators who wish to monitor DNS queries to make sure users aren't visiting harmful or time-wasting domains.
Whether your organization customizes its own DNS Resolver or uses public DNS infrastructure, you can deploy DNS filtering to automatically block harmful domains. The simplest way for this to be done is to automatically block known domains containing malware/phishing links using a list, updated via 'Threat Intelligence' feeds.
Some DNS tools can even be programmed with anomaly detection rules to filter potentially suspicious domains based on the criteria you set.
Employing encrypted and authenticated DNS security is a must for any modern organization. Still, every network administrator knows that there's no silver bullet when it comes to IT Security; they must still be vigilant surrounding endpoint protection, for instance, as the introduction of malware to your organization's network can interfere with DNS queries.
Reliable DNS services like Control D can help to filter harmful domains but also can't completely prevent workers from falling prey to social engineering attacks. As you've seen from the examples above even the best DNS Services can also fall prey to denial-of-service attacks.
Hackers also are continually creating new domains to avoid detection, meaning there's no one comprehensive block list for all harmful websites. Many DNS Security platforms like Control D maintain a list of all newly registered domains for this reason.
The Future of DNS Security
As attackers become more sophisticated, security-minded developers are constantly creating and updating DNS protection tools. For instance, DNS-over-HTTP/3 (DoH3) combines the benefits of DoH with the performance enhancements of HTTP/3 based on the QUIC protocol, making it much faster and more resilient against tampering.
AI and machine learning already play a big role in flagging suspicious domains to automate DNS filtering. Machine learning algorithms that proactively detect suspicious domains will likely one day replace traditional 'source lists' altogether.
The Bottom Line
DNS security is a paramount consideration for IT Professionals within organizations. Subscribing to a service that employs robust DNS protection like DNSSEC, DoH, DoT, and emerging technologies such as DoH3, empowers enterprises to safeguard against a myriad of DNS-based threats, ensuring data integrity, authentication, and privacy for your colleagues and clients.
Control D offers comprehensive DNS protection, combining web filtering, threat intelligence, and anomaly detection to thwart phishing, malware, and other malicious activities. Click here to learn more.