DNS as a Primary Attack Vector and Securing Against It
September 01, 2016
by Picture Box

Network administrators should think of the domain name system as a network dial tone. DNS works behind the scenes providing the paths through which information gets in and gets out. In other words, DNS is a gateway, and DNS security is such a considerable and growing concern because that access point can be a gulf in what is otherwise a highly secure system.

The Challenges of DNS Security

DNS is inherently open and therefore difficult to safeguard. When it was created nearly three decades ago, it wasn’t even recognized as a potential point of attack. Even today, many organizations are not aware of dns security vulnerabilities. In fact, it wasn’t until 2013 that the National Institute of Standards and Technology warned that DNS would become the next primary attack vector as security became more sophisticated and attackers sought new ways to exploit systems.

Defending Against DNS Exploits

The predictions made by NIST were spot on. Over the last several years, DNS has become the primary protocol through which amplification attacks are achieved. DNS security vulnerabilities aren’t limited to denial-of-service attacks either, and DNS usage for data exfiltration is trending. Exfiltration via DNS has been used successfully against organizations to steal emails, intellectual property and even classified information. So what are your options to defend against such exploits? NIST indicates three things you should do before an attack happens and three to do once one is detected.

Before an attack happens you should:

Actively monitor and protect DNS packets. Security protocols don’t tend to account for DNS security. Build it into the DNS server itself. It can be bolted on as a temporary but not a long-term solution.

Know what devices are connected to the network and who is uses them. This information is the best way to achieve real-time identification of threats. Behavioral analysis helps with zero-day exploits.

Defend against both external and internal exploits. The most sophisticated and comprehensive defenses against external exploits can be quickly undermined by an internal one, such as malware.

Once you’ve detected an attack, you should:

Provide an immediate response. If you’ve achieved the necessary visibility and protections, then you should be able to quickly identify malicious communications and respond accordingly.

Keep the network active. If it’s necessary to disable services and applications, then the DNS security in place isn’t good enough. Legitimate communication should continue to flow through the system.

Analyze the attack during and after. Determine what worked well and what did not. Identify what DNS solutions were not working with the network’s overall approach to security and replace them.