The Domain Name System (DNS), known as the phone book for the internet, was recently retuned to improve performance as well as include new security provisions to protect against Distributed Denial of Service (DDoS) attacks. DNS Flag Day drew a line in the sand for noncompliant authoritative DNS servers by removing accommodations. These new updates are welcome, but they do not solve the problem of DNS abuse by cybercriminals.
DNS attacks have gained more notoriety lately with global attacks on government and telecommunications traffic around the world. FireEye and Cisco Talos security researchers have been tracking these attacks. One cybercriminal was found to be manipulating DNS records to divert traffic through malicious servers. This type of attack aims to trick users into revealing credentials, passwords, sensitive information and more. But why is it so easy for hackers to manipulate these records to steal data? The answer: It’s complicated.
DNS Spoofing
To understand why hackers can manipulate the DNS to steal data, it’s important to look at how spoofing works. DNS spoofing starts with a malicious actor setting up a DNS server filled with records to popular sites that they believe their victims will visit. This includes sites of banking and financial institutions, insurance providers, health-related organizations, and government, as well as restricted sites. They also build sites that look nearly identical to the real thing. That way, when employees or consumers visit the phony site, it looks like the official one they expect to see. After the hacker has built this server, they craft malware with the simple task of changing the DNS settings on visitors’ systems.
Normally, DNS settings are managed by ISPs or an organization and users are automatically pointed toward the DNS server that either prefers. The system – computer, phone, tablet, etc. – uses the DNS it is given from the router. But it’s possible to change the DNS for the device’s network adapter manually, and that is exactly what the malware’s job is. Once the malware is installed – likely through email phishing or clickbait – the hacker can successfully route users to their DNS server. Because the DNS settings on the system have been changed, all requests made in the browser will be sent to the fraudulent server.
It doesn’t seem possible that a hacker could anticipate every request. What happens, though, is that a well-crafted server deploys resolvers, so that any request the hacker doesn’t care about – like cutekittens[.]com – will be forwarded to another DNS, such as Google or Cloudflare. Thus, the hacker can spoof the sites they care about and ignore the rest. That also makes it difficult for user, who will not notice the problem until they visit one of the spoofed sites and provide credentials or personal information.
Why DNS Abuse Is Easy
The DNS standard was created in the early 1980s, before security was something that people really thought about (SSL 2.0 wasn’t published until 1995). Additionally, cryptographic keys and encryption were very expensive for the underpowered devices of the past millennium to handle.
Unfortunately, much has remained the same for DNS since the beginning. New standards have been created to combat DNS abuse, but implementation of these standards has been slow.
Shielding DNS
Fortunately, there is hope. This month’s DNS Flag Day set in motion a precedent that old accommodations will no longer be given, and DNS providers need to be held to a higher standard (which, funny enough, is just the standard created in the 80s and 90s). Additionally, many providers are making it much easier to stop their domains from being spoofed or abused.
One such company making it harder for domains to be spoofed is Cloudflare. The company makes it very easy to enable Domain Name System Security Extensions (DNSSEC) for domains that use Cloudflare as an authoritative DNS provider. DNSSEC is a powerful resource in DNS because it cryptographically signs DNS queries such that the user can trust the response.
Unfortunately, the rate of DNSSEC adoption is again slow, and not every top-level domain (TLD) supports it. However, there are few recommendations for protecting against DNS abuse.
The easiest step is to ensure all devices are updated and have proper antivirus protection installed. This will, at least, make it more difficult for hackers to infect the machine to change DNS settings.
Best Bet For Preventing DNS Abuse
However, monitoring network traffic is the number one way to understand if DNS abuse is taking place. Organizations especially should look for rogue DNS and DNS communication to DNS servers that are not authorized on the network.
If a DNS request is going to an IP that isn’t a corporate DNS server, that is an indication that an employee is trying to get around the company’s DNS at best, or at worst, malicious actors are spoofing the machine’s DNS on an infected device. Network traffic analytics will provide the insight needed to view DNS patterns and stop hackers from gaining valuable information from users.
(About the Author: Justin Jett is director of audit and compliance at Plixer with roles ranging from system administration of web services to technical product marketing for Plixer’s incident response system, Scrutinizer. Jett, a graduate of the University of Maine at Farmington, is an avid learner of all things security, with a particular interest in TLS and DNS attacks.)
[Enjoy additional insights from Threatpost’s InfoSec Insider community by visiting past contributions.]