Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

06:47 AM
Dark Reading
Dark Reading
Quick Hits

Protecting Your Enterprise From DNS Threats

Attacks via the Internet's Domain Name System may seem out of your reach, but there are ways to prevent them

[The following is excerpted from "Protecting Your Enterprise From DNS Threats," a new report posted this week on Dark Reading's Security Services Tech Center.]

The Internet's Domain Name System (DNS) plays a critical role in Internet communications: It translates human-readable computer hostnames into destinations defined by IP addresses -- darkreading.com to, for example -- so that they can be used by networking equipment, computers, and software programs.

DNS is the world's largest distributed database, supported by millions of domain name servers and administrators, each providing information about a small segment of the domain name space.

There are two main categories of name server. The authoritative name server is responsible for providing answers in response to queries about domain names in a zone -- a portion of a domain name space for which it is responsible. For example, the DNS servers that answer for darkreading.com and resolve www.darkreading.com to an IP address are authoritative DNS servers. Every domain name appears in a zone served by one or more authoritative name servers.

The second category of server is a recursive name server: When it receives a request to resolve a domain name it doesn't have cached, this server type will recursively query the DNS architecture for the appropriate authoritative DNS server to get an answer that can be cached and returned to the client. A server typically caches previous answers to queries for a certain amount of time (TTL, or time to live) to improve performance should it receive the same request again.

Every Internet-connected device and application is a client of the Domain Name System; even DNS servers in the process of resolving a name function as DNS clients. DNS clients have to trust the information they receive, but when DNS was designed back in the '80s, scalability and availability were the key goals. Little attention was given to security.

For example, the accuracy and integrity of DNS records are vital, but they can be accessed by multiple people: the registrant who owns a domain name, the registry that sold it, the registrar that maintains records and the administrators of the top-level DNS servers. Should attackers get to a point at which they could alter or corrupt a domain's DNS zone data, they could redirect all incoming traffic for that domain to a server they control. This server could then host fake sites to make political statements, capture personal information or install malware.

The open, distributed nature of DNS means it's not possible for one technology or solution to eradicate the limitations inherent in DNS, so hackers continue to use it as a means of disrupting or hijacking online services.

Recent attacks by the Syrian Electronic Army (SEA) have exploited DNS weaknesses to modify DNS entries and redirect users accessing The New York Times, Twitter and Marine Corps websites to propaganda pages supporting the Bashar Assad regime.

The lack of a valid Web server certificate could alert users that they have not reached the genuine site, but these attacks can also capture all inbound email and enable an attacker to send emails using the victim organization's domain. This would allow the attackers to impersonate the victim and register a new certificate. Control of an enterprise's DNS and a valid Web certificate mean the attackers have effectively become the enterprise, often without having to hack into its network.

DNS attacks can either subvert the resolution of DNS queries, often by exploiting weaknesses in domain name administration practices, or use the DNS infrastructure as a means of launching distributed denial-of-service attacks (DDoS).

To learn more about the nature of DNS attacks -- and what you can do to prevent them -- download the free report.

Have a comment on this story? Please click "Add a Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 6/1/2020
Stay-at-Home Orders Coincide With Massive DNS Surge
Robert Lemos, Contributing Writer,  5/27/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: "Well I dont run on MacOS, so I need to take extra precautions"
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-06-02
Integer overflow may occur if atom size is less than atom offset as there is improper validation of atom size in Snapdragon Auto, Snapdragon Compute, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables in APQ8009, APQ8053, APQ8096...
PUBLISHED: 2020-06-02
Firmware will hit assert in WLAN firmware If encrypted data length in FILS IE of reassoc response is more than 528 bytes in Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer Electronics Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voi...
PUBLISHED: 2020-06-02
A race condition can occur when using the fastrpc memory mapping API. in Snapdragon Auto, Snapdragon Compute, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Wearables in APQ8009, APQ8053, MSM8909W, MSM8917, MSM8953, QCS605, QM215, SA415M, SDM429, SDM429W, SDM439, S...
PUBLISHED: 2020-06-02
Possibility of double free of the drawobj that is added to the drawqueue array of the context during IOCTL commands as there is no refcount taken for this object in Snapdragon Auto, Snapdragon Compute, Snapdragon Consumer Electronics Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, ...
PUBLISHED: 2020-06-02
Valid deauth/disassoc frames is dropped in case if RMF is enabled and some rouge peer keep on sending rogue deauth/disassoc frames due to improper enum values used to check the frame subtype in Snapdragon Auto, Snapdragon Compute, Snapdragon Consumer Electronics Connectivity, Snapdragon Consumer IOT...