Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

News & Commentary

3/14/2017
02:00 PM
Merike Ko
Merike Ko
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Debunking 5 Myths About DNS

From the boardroom to IT and the end user, the Domain Name System is often misunderstood, which can leave organizations vulnerable to attacks.

The Domain Name System (DNS) is the common denominator for all communication on the Internet. It touches everyone. Every online transaction – good or bad – begins with a DNS lookup. Despite its critical role in our online lives, DNS is often misunderstood and, as a result, leaves organizations more vulnerable to attacks. I’d like to address five myths about DNS.

Myth 1: DNS Is not a Boardroom Issue
If you were to walk into your average corporate executive suite and say “DNS,” most likely the executives would wonder why this technical detail is being mentioned to them. Most C-level and boardroom execs view DNS purely as an IT issue. Yet that could not be farther from the truth.

Domain names and related subdomains are critical company assets - your brand ambassadors - that need to be carefully managed and protected to ensure a healthy, profitable business. If these assets are used in phishing scams or other cyberattacks, a company’s revenue and reputation can be severely damaged.

Today, too often, it’s the organization’s legal team that truly understands the value of DNS to the corporate brand. In many companies, the IT department initially registers the domain names but leaves the oversight of the domain name to the legal department. A better approach is for legal and technology teams to collaborate to insure that all the domains that are properly registered have policies, procedures, and tools in place to protect them.

Myth 2: DNS Drives on Auto-Pilot
A DNS architecture is not static – it is constantly evolving and requires care. Many corporate infrastructures suffer from considering that DNS is something you configure and leave alone since "it just works." In reality, DNS cannot ride on auto-pilot; DNS hygiene is essential as an ongoing task. I suspect there are many environments that never monitor their DNS traffic to see where the domain name to IP address resolution is being performed. Is the server that is giving the authoritative answers truly authoritative, or is it a malicious server that is impersonating an authoritative role? 

DNS architectures need to be engineered with careful thought as to how long entries should be cached, and where cache miss traffic resolution should be performed. For example, users can change the DNS resolvers they go to and, thereby, significantly impact corporate business risk. Is this allowed in your environment? Robust DNS architectures need to be created that also follow and enforce DNS architecture best practices.

Myth 3: DNS Is not a Security Issue
In 2016, DNS celebrated its 33rd birthday. In its early days, DNS was not a key security issue. In the first edition of my book, “Designing Network Security,” published in 1999, I only made passing mention of securing critical infrastructure services such as DNS. It wasn’t until 2005 that I started incorporating in-depth DNS security into my security workshops and assessments. Over the last five to 10 years, cybercriminals have increasingly utilized DNS for various malware infrastructures. Despite the rise in DNS-related cyberattacks, such as DNS Changer, companies still overlook DNS during security assessments. Today, DNS security is essential for protecting against cyberattacks. Historical and real-time visibility of the DNS can provide critical context for suspicious indicators of compromise (IoCs) for SOCs and other security teams.   

Myth 4: DNS-Related Risks Are Small
Today DNS is integral to online criminal infrastructures. Why? Because purchasing domain names is cheap and easy. In fact, upwards of tens of thousands of domains are generated per day by a single malware family, according to Trend Micro. The number of DNS-related cyberattacks is escalating across all types of industries, from healthcare to retail, as well as across all government agencies. For example, in 2016, enforcement agencies took down 4,500 domain names selling counterfeit luxury goods, sportswear, spare parts, electronics, pharmaceuticals, toiletries and other fake products. According to the APWG Phishing Trends Report Q4 2016, 2016 was the worst year for phishing ever. The total number of phishing attacks observed by the APWG in 2016 was a record 1,220,523, a 65% increase over 2015.  DNS-related risks are great and can have a significant impact on a company’s financial and reputation bottom line.

Myth 5: DNS=Translating Names to Numbers
DNS is not just about mapping domain names to IP addresses. It plays a larger role in Internet communications. DNS also provides critical information, including:

  • MX records -- specifies the domain name of a mail recipient's email address;
  • SRV records -- defines both the port number and the domain name used by a service;
  • DNSSEC (Domain Name System Security Extension) records -- cryptographically signs each DNS CNAME records -- maps a name to another name.

From the boardroom to legal and IT departments and the end user, DNS is critical to the success of every corporation. Understanding the myths about DNS and aligning corporate strategies for assessing and addressing them is an important step to improving your organization’s security posture.

Related Content:

 

Merike is the CTO of Farsight Security, responsible for developing the technical strategy and executing its vision. Prior to joining Farsight Security, Merike held positions as CISO for Internet Identity (IID), and founder of Doubleshot Security, which provided strategic and ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
smartmadre
50%
50%
smartmadre,
User Rank: Apprentice
3/14/2017 | 2:22:05 PM
Myth 6 You can't use DNS to motivate your child to learn math
Myth 6 You can't use DNS to get your child to learn math

https://www.reddit.com/r/shamelessplug/comments/5yxbry/we_automated_one_of_the_most_frustrating_parts_of/?st=j09qgdna&sh=0fc143b3

 

 
Data Privacy Protections for the Most Vulnerable -- Children
Dimitri Sirota, Founder & CEO of BigID,  10/17/2019
Sodinokibi Ransomware: Where Attackers' Money Goes
Kelly Sheridan, Staff Editor, Dark Reading,  10/15/2019
Tor Weaponized to Steal Bitcoin
Dark Reading Staff 10/18/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-8369
PUBLISHED: 2019-10-21
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Notes: none.
CVE-2019-18224
PUBLISHED: 2019-10-21
idn2_to_ascii_4i in lib/lookup.c in GNU libidn2 before 2.1.1 has a heap-based buffer overflow via a long domain string.
CVE-2019-16985
PUBLISHED: 2019-10-21
In FusionPBX up to v4.5.7, the file app\xml_cdr\xml_cdr_delete.php uses an unsanitized "rec" variable coming from the URL, which is base64 decoded and allows deletion of any file of the system.
CVE-2019-16986
PUBLISHED: 2019-10-21
In FusionPBX up to v4.5.7, the file resources\download.php uses an unsanitized "f" variable coming from the URL, which takes any pathname and allows a download of it. (resources\secure_download.php is also affected.)
CVE-2019-16987
PUBLISHED: 2019-10-21
In FusionPBX up to v4.5.7, the file app\contacts\contact_import.php uses an unsanitized "query_string" variable coming from the URL, which is reflected in HTML, leading to XSS.