Closing Gaps in DNS

Two of the most popular gateways in corporate networks are HTTP and DNS. For a long time, IT organizations have been protecting the IT infrastructure by providing firewalls, next-generation firewalls, web application firewalls, IDS/IPS solutions and application delivery controllers. Thus, while HTTP is a secure doorstep guarded with many locks and guarded around the clock, DNS is the neglected back door. Thieves don’t care. They want the easiest way in, and in most companies, DNS provides that because it is unfortunately ignored as a threat vector.

Even so, the topic of DNS security has recently become more prominent, especially in the wake of a large-scale Distributed Denial of Service (DDoS) attacks on the DNS provider Dyn, now an Oracle company. The October 2016 attack claimed several million endpoints. It also temporarily took down a variety of websites and cloud services such as Twitter that rely on Dyn for the resolution of the IP addresses. And more recently with the Ransomware attacks like Wannacry and Jaff attacks that both utilized DNS as well to complete the attack chain.

These incidents showed the vulnerability of the "Internet Address Book" for DDoS and potential Ransomware attacks. For this reason, companies are advised to operate their own local DNS server, secondary DNS servers at their service provider as well as an optional DNS hosting provider such as Dyn.

DNS as an attack vector
The domain name system is virtually an overlay network on the public Internet and private corporate networks. The problem is even if one is aware of the vulnerability of the DNS, one cannot simply close, for example, port 53 through a firewall rule just as much as one could pinpoint the HTTP port 80.

The possibilities of DNS abuse are much more diverse than the approach of paralyzing the DNS server by flooding it with DDoS requests, as was the case for Dyn. More sophisticated attack variants include Botnet-based brute-force attacks through Distributed Reflection DoS in combination with DNS amplification and the malicious redirection of DNS queries using DNS hijacking or DNS cache poisoning. The 2016 Cisco Annual Security report found that 91.3% of malware targets DNS in attacks.

Using DNS queries for attacks
There are two tricky and rarely noticed methods of using DNS for attacks on corporate networks: DNS signaling and DNS tunneling. DNS signaling attacks
Suppose a CFO goes to an Internet cafe, logs on to the Internet and inadvertently picks up some malware, compromising his corporate PC. In that case, the malware can use DNS signaling to communicate with its Command and Control (C&C) server and potentially start exfilitrating critical data or simply encrypting it to create a Ransomware situation on the CFO’s data. This is something Wannacry did for the National Health System in the UK.

An attacker must set up only one name server, which is accessible through the Internet. A basic installation of the open source DNS server BIND is running on the server, and the logging of requests is activated. Malware, which has reached its target network, for example, sends a DNS request to the name server of the C&C domain with the content: Company-infiltration.c-c-server.com.

A professional malware programmer would obviously obfuscate this message so that instead of the phrase "success-compliant," only a long, cryptic string would be read. The domain of the attacker -- in the example "c-c-server.com" -- can be specified hard-coded in the malware. But there is also malicious software, which for this purpose brings along a Domain Generation Algorithm (DGA).

The DNS resolver of the malware-infected company redirects the message to the authoritative name server of the attacker. Finally, it seems to be just a request for a somewhat cumbersome subdomain in the domain c-c-server.com. On the attacker's side, the message is then decrypted.

Now, the attacker has established a cloaked communication channel that appears as harmless DNS queries and remains under the radar of many firewalls and many next-generation firewalls (NGFWs) as well as intrusion detection and intrusion prevention solutions (IDS/IPS). What is the harm here? Data exfiltration at the least. Now, the CFO’s computer is sharing data without the CFO knowing it.

Many security solutions don’t provide a view of the DNS attack vector. In addition, if the malware obtains admin rights on the compromised computer, it can change the recursive DNS server of the terminal and replace it with an alternative, for example, through Google DNS or OpenDNS by establishing a group policy (note, IT can prevent this but often don’t). In this case, the affected company's DNS server does not even know about the suspicious DNS data exchange.

DNS-tunnel attack vector
DNS signaling mechanisms allows attackers to use DNS queries to transport other protocols such as HTTP, FTP or SMTP encrypted through DNS sessions. The attackers esentially build a VPN, except that they use DNS as a transfer protocol to conceal the VPN structure.

Once attackers have established a DNS-based VPN, they can open up all the possibilities of a private tunnel. They can use FTP to inject the code for remote access trojans (RATs) into the corporate network or use the tunnel for data exfiltration from the company. Usually, that can all be done without having to worry about firewall rules, IDS/IPS signatures or behavior-based network monitoring.

This creative use of DNS is particularly suitable for advanced persistent threats (APTs) on companies. In an APT, the cybercriminals do not simply want to compromise any network but have a concrete goal in mind, for example, the design plans or the product roadmap of a manufacturing company. Once the desired data is found, the attacker can exfiltrate the data in a quiet manner, called "low and slow" or "slow drip." This does not even result in load peaks in the network traffic, which could be noticed by a network monitoring solution independent of the ports.

Measures against DNS abuse
A new generation of solutions for the defense of DNS-based attacks has emerged called "Advanced DNS Protection." These solutions combine DNS firewalling and DNS monitoring with sophisticated analytics mechanisms such as DNS Deep Packet Inspection and automated measures to prevent DNS abuse as quickly and effectively as possible.

As soon as a certain scoring value of suspicious behavior is reached, the solutions can not only trigger an alarm but actively intervene, for example, answer a suspicious DNS query with "NXDOMAIN" or immediately stop a detected ongoing data exfiltration. The solutions complement the existing defense landscape by adding an important building block. For this reason, they have to work with APIs, next-generation firewalls as well as with SIEM systems or incident response tools.

No more blinders
IT organizations have so far put too much emphasis on the prominent attack vector HTTP in the protection of their networks. The front door has been protected, reinforced and guarded with all available means, but the back door DNS is not even locked. It often serves as a comfortable "staff access" that unwanted visitors are also using. In particular, DNS tunneling has established itself as a long-neglected and, for this reason, extremely effective way for the introduction of malware and the exfiltration of company-internal data. It is high time to close this backdoor. Attackers are surprisingly flexible in the choice of the access route and far too successful. That means organizations have to be as intelligent and proactive with DNS as they are in protecting the front entrance.

Related posts:

— As EVP and CMO at Infoblox, Ashish Gupta drives strategy for global corporate and product marketing at Infoblox. Previously, he held leadership positions at Action, Vidyo, Microsoft, Alcatel/Genesys Telecommunications, Telera, Deloitte Consulting and Hewlett-Packard.