The first and foremost thing is to know what DNS is and how it works? Let me explain to you in simple words. The Domain Name System (DNS) has a secure link with modern network connectivity. Internet users can access content online through domain names like twitter.com. As we know, Web browsers interact through IP (Internet protocol) addresses. DNS translates domain names to IP addresses so browsers can load Internet resources. Many DNS related cyber-attacks involve malware/ransomware, which steals and transfers data out of organizations.
Unfortunately, Cyber-criminals use DNS to carry out attacks and take advantage of vulnerabilities in the domain name system. There are many ways cybercriminals exploit the unique properties of DNS and damage the organization’s reputation and profitability. DNS attacks can cripple an organization due to failures in DNS security. To prevent these attacks, you need to understand how DNS attacks work from Inside Out and Outside-in attack. Both are different from each other. The focus in this article is how to defend against inside out DNS attacks.
1. How DNS-Based Attacks Work from the Inside Out
Hackers use bugs and plant them on an organization’s servers to send information out via DNS query responses. Malware exploits are the most common example of DNS attacks. Malware exploits are inside-out threats that usually commit a crime for money by criminal groups that combine the hierarchical organization of legal business with the terrorist networks. These criminals also used exfiltrating data malware to get confidential information such as customer credit card numbers and market it to lesser criminals. Therefore, it is essential to take proactive actions to prevent attacks that harm the organization’s brand reputation and violate criminal law. Now, I am going to share how to defend against these DNS attacks.
2. How to Defend Against DNS Attacks
Indeed, DNS attacks are not suitable for an organization’s growth. Most targeted sectors of DNS-based Inside Out attacks are the financial sector, telecom sector, and media. Mostly these sectors are hit by the highest number of brand damage. Due to the theft of sensitive information, companies bear the highest costs of an attack. Therefore, it is very much essential to fight back against these attacks to protect the organization. Whenever these attacks hit companies, they turn off affected processes, disable affected applications, and shut down the business services for a while. Companies must take proactive approaches to prevent these attacks or predict the attacks before they happen. There are specific ways by which you can avoid the DNS attacks.
3. Keep DNS resolver private and protected
Organizations that are running their resolver, they should keep ‘their usage restricted to the users only on their network. By doing this, you can prevent your cache from being poisoned by hackers. By using the measurement Factory’s online tool, you can check for open resolvers on your network.
4. Build Protections into your DNS software
To prevent the DNS attacks, you must build protection into the DNS software to protect the cache poisoning. For example, add variability to outgoing requests that make it harder for a hacker to get the bogus response accepted. Popular ways of doing this are; using a random source port instead of UDP port 53. You can also randomize the query ID. It is randomizing the casing of the letters of the domain names that are sent out for resolution.
5. Implement internal threat intelligence
It is essential to implement internal threat intelligence to protect an organization’s services and confidential data. The matter of the fact is Real-time DNS analytics helps to detect and prevent advanced attacks like DGA (Domain generation algorithm) malware and zero-day malicious domains.
6. Ensure security Compliance
To combat DNS attacks, a user needs to integrate DNS with IPAM (IP address management). In network security composition processes that can help to automate the management security policies, keep the system consistent, and auditable.
7. Control DNS Unique traffic visibility in your network security ecosystem
To prevent DNS attacks, implement real-time behavioural threat detection over DNS traffic. It ensures that qualified security events sent to your Security Information and Event Management (SIEM) software. It helps SOCs accelerate remediation.
8. Manage your DNS server securely
When it comes to user’s authoritative servers, the organization needs to decide whether to host them or have them hosted at a third-party service provider. Most organizations prefer to organize and manage their DNS by themselves. Because they fully understand that their security interest is more reliable internally, rather than with a third-party provider. If your organization has skills to host and manage its DNS, then you do not need to engage the services of a third-party DNS provider. However, if your organization lacks internal DNS skills, then it is ok to seek the services of a reliable DNS provider. If this is the case, perform due diligence on the potential providers before engaging their services.
9. If you host yourDNS servers
Mitigate the risk of a DDoS attack: The DNS servers are vulnerable to a DDoS attack that affects system availability, which thwarts one of the core tenets of cybersecurity CIA (Confidentiality, Integrity, and Availability). It is essential to ensure that a DDoS mitigation service protects the server. It helps to eliminate the unwanted traffic and provide bandwidth to ensure that your DNS servers remain reachable or not.
Avoid Known vulnerabilities: whenit comes to running your name servers, then it is essential to keep them up to date to prevent known vulnerabilities. One of the most used security tools is a patch management system. You know what? A hacker can send DNS requests with spoofed sources to your servers by which your servers respond by sending unwanted traffic to the spoofed source. Therefore, it is essential to keep them updated to prevent your name servers from being used in reflection attacks on third parties.
DNS software used a technique called Response Rate limiting to avoid the extensive responses to the same spoofed source in a limited time. Using this technique makes your server secure from hackers.
Restrict Zone transfers: To prevent hacker attacks, you need to use a hidden primary master name server. Often slave name servers request a zone transfer, which is a copy of part of the master server’s DNS database. The zone contains a ton of information that could help a hacker to understand the topology of your network. Therefore, you need to ensure that your name servers are configured only to carry out zone transfers to the specific IP address of your slave DNS servers.
Keep monitoring your name servers: You should actively monitor the visibility of your server, what are the status and any changes made or not. Keep watching unusual behaviour in your DNS activity log. The quicker you detect the unfamiliar or suspicious activity, there are chances that you may be able to thwart the potential hack of your Domain for nefarious acts.
Use PKI to protect your DNS server. You need to use a digital certificate to authenticate your Secure Shell (SSH) session whenever you log on to your DNS server to make changes. This communication is encrypted as it traverses your network, and the chance of interception is zero.
Apply specialist DNS appliance: To minimize attacks on your DNS servers, shutdown unwanted services, or unneeded ports. It is essential to know that DNS appliances offer hardened operating systems with automatic updates that help the organization to protect it from denial of service attacks.
10. If Your Domain managed by a registrar?
Whenever a third party manages your Domain, then it is essential to satisfy yourself that your online operations and security measures work efficiently and appropriately.
Use Multi-factor authentication. The use of MFA further strengthens any authentication to your DNS servers, which will require a second authentication factor such as a token, mobile device for OTP, etc.
DNS change locking. Most registrars enforce specific security processes before changes are carried out on the DNS settings. Let me give an example; a registrar may call a particular number to get verification from your organization before carrying changes to its DNS servers. It provides some assurance that no changes can be made to the servers unless someone in the organization authorizes it.
IP-dependent logs in Registrars offer a range of IP addresses from which you can log in to your systems. It does not protect insider threats, but it helps to keep you safe from outside-In attacks.
Use DNSSEC technology: DNSSEC allows your record signing at the authoritative DNS server with public-key cryptography. It is designed to protect applications from using manipulating DNS data like hackers’ created DNS cache poisoning. DNSSEC signs all confidential information within its protected zone.
11. The Defense Strategies of DNS
In this segment, I am going to elaborate further on DNS defence strategies by which an organization can protect their DNS server(s) from attacks includes;
Water Torture: It is also called pseudo-random subdomain attacks. It bombards DNS resolvers with legitimate domains followed by random labels that force the DNS to work harder or challenging. Therefore, you need to block fake zone query, Limit FQDN structure, Limit FQDN query rate. Examples: attackers sending non-existent subdomain requests to an Authoritative Name Server for a specific domain. These malicious requests consume the resources on the name server and significantly slow down the responses for legitimate claims. Ultimately, users are not able to reach your web application. Therefore, Authorities need to install Advanced Firewall Manager (AFM), which helps to detect and prevent system DoS and DDoS attacks.
NXDomain: By consistent request of Non-existent domains (NXDomains), the hacker affects DNS resolvers and servers to become overwhelmed. So, you need to limit the Xdomain response to prevent the attacks.
Query Flood. A multitude of queries flood either attack on the DNS resolver or the authentication servers. DNS Query Flood is a kind of DDoS attack that belongs to application attacks. Example: the attacker sends a succession of User Datagram Protocol (UDP) packets to a DNS server to exhaust server-side assets such as memory or CPU. By this, the attack prevents the server from direct legitimate requests to zone resources. Relying on UDP protocol makes the packet’s information accessible to spoofing (IP, data size, etc.). This attack hard to distinguish from legitimate one and hard to mitigate. To prevent the attacks, you should limit queries rate by source spoof check.
Malformed DNS query: This kind of queries force the DNS to complete additional processes and use other resources. In this case, you need to focus on the L3-L7 RFC check to prevent unwanted queries.
DNS reflected Amplification: DNS is all about the queries that possibly makes it an ideal target for reflected attacks. The attacker leverages the functionality of open DNS resolvers to overwhelm a target server with an amplified amount of traffic, rendering the server and its surrounding infrastructure inaccessible. Due to the high amount of traffic generated, the infrastructure surrounding the server feels the impact. The Internet Service Provider or any other upstream infrastructure providers may not be able to handle the incoming traffic without becoming overwhelmed. As a result, the ISP may blackhole all traffic to the targeted victim’s IP address. Protective services like Cloudflare DDoS protection, are mostly preventative infrastructure solutions. Therefore, you need to block the weaponized DNS resolver list, Drop UDP fragments, and restrict UDP pack size over 53.
Spoofing: It is a hacker attack in which a program successfully identifies as another server or Domain by falsifying data, to gain an illegitimate advantage. An attacker spoofs the IP address DNS entries for the target website and replaces them with the unauthorized IP address under their control. They create files on the server with names matching those on the target server. So, to prevent this attack, users need to focus on UDP and force to TCP challenge.
DNS-Based Attacks from the Inside Out are a common issue that organizations face; therefore, it is essential to know How to DEFEND Against Them. DNS security is critical because failure in DNS can harm the organization. The attackers actively find ways to exploit the DNS protocol and the company’s DNS infrastructure for multiple benefits. These attacks are prevalent, but they are not getting the attention they deserve. This article offers practical ways by which an organization can prevent Inside-Out DNS attacks to limit the disruption to business services and curtail financial losses.