Secure DNS infrastructure is an essential component of any cybersecurity program. Unfortunately, DNS exploits get far less media attention than other attacks, so many organizations don’t fully appreciate the threat they pose.
Research by Cisco indicates more than 91% of malware attacks use DNS exploits in one way or another. Despite this, many organizations don’t monitor traffic, leaving them vulnerable to malware, ransomware, and data exfiltration attacks. To explain why those exploits pose such a huge security risk and what your organization can do to prevent them, we need to start at the beginning.
DNS stands for Domain Name Services. It exists for two reasons.
First, Humans find IP addresses hard to remember but can easily recall domain names and asset names. For example, www.link11.com or Server1 is much easier to remember than an IP address like 192.168.1.1
Second, Human-readable domain and asset names are meaningless to computers. Computers need an exact IP address before they can retrieve a user’s desired content or make a connection.
DNS solves this problem by mapping domain and asset names to IP addresses. This enables a user or administrator to search using a name that’s easy to remember but still get the results they want. To understand how this works, we need to look at two different types of requests: Internal and external.
An internal request is a request to connect to something within the same network as the user. The process is simple:
An external request is a request to connect to something over the Internet. This process is slightly more complicated:
While this process may still appear simple, there’s a bit more to it. Stay with us because all of this will be important later when we discuss security issues (and how to prevent them).
As you’ve probably gathered, your organization’s DNS server only has records for your network plus a few common websites that have been stored via DNS caching when another user connected to them.
Often, the first external server contacted won’t have the records needed to give the querying user (or, more accurately, their device) the IP address they need to reach their desired content. To solve this problem, internal servers often communicate with multiple external servers to get the IP address.
There are two ways this happens:
Note that the user’s device always communicates with its internal server, which then communicates with external servers in an iterative or recursive manner.
DNS is just one of the services needed within a standard TCP IP network. All it does is map domain and asset names to IP addresses. In addition to a DNS server, organizations also need a DHCP (Dynamic Host Control Protocol) server to dynamically assign IP addresses to new assets as they join the network.
When DNS and DHCP are combined, you get Dynamic DNS, an essential component of any modern business network. With Dynamic DNS, whenever the DHCP server assigns an IP address to a new asset (e.g., a server or endpoint), it also writes the IP address to the server’s host table so it can be mapped to the relevant asset.
Without this process, new assets would automatically be assigned an IP address on connection, but the server wouldn’t know they were there. As a result, an administrator trying to connect to the asset using its name (e.g., Server1) wouldn’t be able to because the server wouldn’t know where to route the request.
And it’s at this point we start to encounter security issues in the DNS protocol.
DNS may be simple conceptually, but it faces four major security issues:
Internal servers will return information to any device that asks for it. Remember how Dynamic DNS ensures your server host tables include IP information for every asset connected to your network? This makes them a good source of information for attackers when carrying out internal reconnaissance.
If an attacker can access your network’s internal server, they can ‘poison’ the host tables with malicious entries. Now, when a user tries to connect to a website or asset, their connection can be sent somewhere else entirely, such as a malicious online download or inappropriate website.
DNS tunneling is a common technique used to steal sensitive information from inside a compromised network. The process looks like this:
That may seem like a lot of effort, but in reality, attackers can complete the process quickly using commodity malware and a cheap web host that doesn’t ask too many questions. Even worse, this technique can be (and is) used to steal vast amounts of sensitive information, and the victim organization often never finds out.
As we’ve already noted, DNS servers don’t verify incoming requests. This leaves them open to a common form of DDoS attack known as a DNS amplification attack. The attacker uses a botnet to send high volume requests and uses a ‘spoofed’ IP address, so the server’s responses go to the target victim. The objective is the same as any other DDoS attack—to overwhelm the target server so it can’t function properly.
To increase the attack’s magnitude, attackers use a technique called amplification, where requests ask for a lengthy response. The victim then receives a flood of long DNS responses that is more effective at disrupting or disabling their server.
Since exploits are so common, DNS-layer security can block a very high proportion of malware and ransomware threats. Powerful security solutions can check requests in real-time to determine whether they are legitimate. These solutions check every request against data from billions of requests, WHOIS records, and Border Gateway Protocol (BGP) routing information to identify suspicious domains with a high degree of accuracy. Best of all, if a domain is associated with other domains, services, or servers known to be related to malicious or inappropriate content, the request can be blocked before any harm is done.
Link11’s protection solution resolves DNS requests using a global network of servers to maximize speed, availability, and reliability for your organization and its customers—with no additional hardware or software required. Your internal DNS server communicates directly with our recursive DNS server, which does the hard work of finding the correct IP address for each domain requested.
Critically, our solution includes the threat intelligence, hijacking prevention, and other security capabilities needed to identify and prevent all of the DNS threats explained above. Combined, these capabilities make the technology faster, more reliable, and much more secure than other options.
This process enables a host of security benefits, including:
Find out more about Link11’s protection solution.