News & Commentary
3/14/2017
02:00 PM
Merike Ko
Merike Ko
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Debunking 5 Myths About DNS

From the boardroom to IT and the end user, the Domain Name System is often misunderstood, which can leave organizations vulnerable to attacks.

The Domain Name System (DNS) is the common denominator for all communication on the Internet. It touches everyone. Every online transaction – good or bad – begins with a DNS lookup. Despite its critical role in our online lives, DNS is often misunderstood and, as a result, leaves organizations more vulnerable to attacks. I’d like to address five myths about DNS.

Myth 1: DNS Is not a Boardroom Issue
If you were to walk into your average corporate executive suite and say “DNS,” most likely the executives would wonder why this technical detail is being mentioned to them. Most C-level and boardroom execs view DNS purely as an IT issue. Yet that could not be farther from the truth.

Domain names and related subdomains are critical company assets - your brand ambassadors - that need to be carefully managed and protected to ensure a healthy, profitable business. If these assets are used in phishing scams or other cyberattacks, a company’s revenue and reputation can be severely damaged.

Today, too often, it’s the organization’s legal team that truly understands the value of DNS to the corporate brand. In many companies, the IT department initially registers the domain names but leaves the oversight of the domain name to the legal department. A better approach is for legal and technology teams to collaborate to insure that all the domains that are properly registered have policies, procedures, and tools in place to protect them.

Myth 2: DNS Drives on Auto-Pilot
A DNS architecture is not static – it is constantly evolving and requires care. Many corporate infrastructures suffer from considering that DNS is something you configure and leave alone since "it just works." In reality, DNS cannot ride on auto-pilot; DNS hygiene is essential as an ongoing task. I suspect there are many environments that never monitor their DNS traffic to see where the domain name to IP address resolution is being performed. Is the server that is giving the authoritative answers truly authoritative, or is it a malicious server that is impersonating an authoritative role? 

DNS architectures need to be engineered with careful thought as to how long entries should be cached, and where cache miss traffic resolution should be performed. For example, users can change the DNS resolvers they go to and, thereby, significantly impact corporate business risk. Is this allowed in your environment? Robust DNS architectures need to be created that also follow and enforce DNS architecture best practices.

Myth 3: DNS Is not a Security Issue
In 2016, DNS celebrated its 33rd birthday. In its early days, DNS was not a key security issue. In the first edition of my book, “Designing Network Security,” published in 1999, I only made passing mention of securing critical infrastructure services such as DNS. It wasn’t until 2005 that I started incorporating in-depth DNS security into my security workshops and assessments. Over the last five to 10 years, cybercriminals have increasingly utilized DNS for various malware infrastructures. Despite the rise in DNS-related cyberattacks, such as DNS Changer, companies still overlook DNS during security assessments. Today, DNS security is essential for protecting against cyberattacks. Historical and real-time visibility of the DNS can provide critical context for suspicious indicators of compromise (IoCs) for SOCs and other security teams.   

Myth 4: DNS-Related Risks Are Small
Today DNS is integral to online criminal infrastructures. Why? Because purchasing domain names is cheap and easy. In fact, upwards of tens of thousands of domains are generated per day by a single malware family, according to Trend Micro. The number of DNS-related cyberattacks is escalating across all types of industries, from healthcare to retail, as well as across all government agencies. For example, in 2016, enforcement agencies took down 4,500 domain names selling counterfeit luxury goods, sportswear, spare parts, electronics, pharmaceuticals, toiletries and other fake products. According to the APWG Phishing Trends Report Q4 2016, 2016 was the worst year for phishing ever. The total number of phishing attacks observed by the APWG in 2016 was a record 1,220,523, a 65% increase over 2015.  DNS-related risks are great and can have a significant impact on a company’s financial and reputation bottom line.

Myth 5: DNS=Translating Names to Numbers
DNS is not just about mapping domain names to IP addresses. It plays a larger role in Internet communications. DNS also provides critical information, including:

  • MX records -- specifies the domain name of a mail recipient's email address;
  • SRV records -- defines both the port number and the domain name used by a service;
  • DNSSEC (Domain Name System Security Extension) records -- cryptographically signs each DNS CNAME records -- maps a name to another name.

From the boardroom to legal and IT departments and the end user, DNS is critical to the success of every corporation. Understanding the myths about DNS and aligning corporate strategies for assessing and addressing them is an important step to improving your organization’s security posture.

Related Content:

 

Merike is the CTO of Farsight Security, responsible for developing the technical strategy and executing its vision. Prior to joining Farsight Security, Merike held positions as CISO for Internet Identity (IID), and founder of Doubleshot Security, which provided strategic and ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
smartmadre
50%
50%
smartmadre,
User Rank: Apprentice
3/14/2017 | 2:22:05 PM
Myth 6 You can't use DNS to motivate your child to learn math
Myth 6 You can't use DNS to get your child to learn math

https://www.reddit.com/r/shamelessplug/comments/5yxbry/we_automated_one_of_the_most_frustrating_parts_of/?st=j09qgdna&sh=0fc143b3

 

 
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.