Stop neglecting DNS security – or pay the price

Why the internet’s phonebook is a hotline for criminals

The internet’s Domain Name System (DNS) maps website names to the IP addresses of the servers that host them, hence the nickname “the internet’s phonebook”. DNS lets devices access websites or emails, but its ubiquity offers opportunities for attackers.

How bad does it get? According to a 2022 survey, a worrying 88% of organisations suffered DNS attacks over the last year, with 70% suffering downtime, with an average cost of just under $1 million. As more resources move to the cloud to facilitate remote working, opportunities for attackers have increased, with criminals using DNS tunnels to steal data and redirect traffic to spoofed websites.

DNS security is an increasingly hot topic

Thankfully, DNS security is starting to get the attention it deserves. In 2021, Australia started offering the Australian Protective Domain Name Service (AUPDNS) to government agencies. The service checks network traffic against a list of high-risk websites and servers. In its last report, the ACSC claimed the service had processed 5.5 billion queries and blocked 400,000 malicious requests. New Zealand also offers enhanced DNS security across government domains.

Your organisation may not need DNS security at this scale, but there are many practical responses to DNS risks. Here, we look at the common threats, and how you can use DNS to strike back.

DNS attacks come in many guises

DNS attacks can bypass traditional defences, allowing criminals to steal data or take over DNS servers right under the noses of unwary victims. Once one server has been compromised, the attack can quickly spread to others. Different types of DNS attacks can include:

1. DNS spoofing (or cache poisoning), in which attackers inject corrupt data into a DNS resolver’s cache to redirect users to spoofed sites. Here, data or credentials can be stolen in phishing attacks, or malware introduced.
2. DNS amplification, a variant on distributed denial of service (DDoS) attacks. It typically sees hackers send DNS requests with a spoofed source address, so that the target’s DNS record response goes back to them. By leveraging a botnet, attackers can overwhelm the target with traffic.
3. DNS tunnelling, where malicious data is encoded into DNS queries and responses. It can take over servers or steal data.
4. Fast flux, in which cybercriminals cycle through the IP addresses of multiple compromised hosts at speed, making detection difficult and giving attackers more time to exploit malicious domains.
5. DNS hijacking, which uses malware on a device or router to manipulate DNS queries and redirect users to malicious sites.

Access controls and zero trust can safeguard your data

Limiting access to your network is the first step in combating DNS attacks. You should use multi-factor authentication and biometrics, and consider passwordless security, across the board. Security policies should pay special attention to accounts that can make changes to DNS records, from in-house administrators to external partners. Another useful tool is DMARC, which can stop brand spoofing through e-mail.

Measures that limit attackers’ ability to move across your network can reduce the impact of DNS attacks. Network segmentation (which limits access to portions of your network) and wider zero-trust frameworks (which interrogate every request on your network and give each user only the minimum privileges they need to perform a task) will make it harder for cybercriminals to spread into your territory.

Protective DNS offers better cybersecurity

But perhaps the biggest weapon against DNS attacks – and a key tool in overall cybersecurity – is protective DNS. Here, recursive DNS lookups check if DNS records match their intended destination, with the DNS server either resolving the domain name itself (via information in its cache) or requesting the IP address from another trusted DNS server. Threat intelligence can help shape your list of malicious addresses.

This can protect against DNS hijacking, spoofing or amplification, but by blocking connections to dangerous sites, it can also manage wider threats that traditional network-based controls might miss. Organisations can implement it in-house, perhaps by combining a network firewall with DNS verifying and blocking, or enlisting third-party support.

To gain deeper insights into the DNS record, some organisations are employing passive DNS, which logs anonymous data on how domain names have changed in the past, and which IP addresses they have been associated with. This can help you build a picture of global and historical threats that may be coming your way.

There are solutions to DNS attacks

DNS attacks can fly under the radar, but that doesn’t make them any less deadly. Indeed, in recent years the internet’s phonebook has become increasingly busy with crank callers. Access controls, DMARC and zero-trust policies can help safeguard your data in the face of attacks, while forward-thinking CISOs can use DNS to fight back via protective and passive DNS. By researching, reviewing and blocking risky addresses, these techniques can help you nip cyberattacks in the bud.