Ron Temske, Vice President, Security Solutions, Logicalis US
The starting point for enterprise connectivity to anywhere is the Domain Name Services or DNS. Why not start there for cybersecurity? The purpose of DNS is to resolve names, which humans can remember, into IP addresses used by computers and other connected devices. Comparing DNS to a phone book (Ed. For those of you old enough to remember them!), or your contact lists in Outlook or your phone, is a good analogy.
It’s difficult to remember phone numbers for all your family, friends, work colleagues, suppliers and customers, but you certainly remember their names. So, while none of us would think to type http://18.104.22.168/ into our browsers, we would have no problem remembering and typing http://www.amazon.com/ when we want to go shopping.
DNS is involved any time a domain name is accessed from a device. This isn’t specific to just browser or http traffic, but includes any resource call to a domain from any connected device. And for that reason, DNS is both an asset and a liability.
[Infographic: Click for full view]
Potential DNS Vulnerabilities
As the central internet phone book, DNS can be involved in attacks in several ways. I’m going to take a few technical liberties and skip a lot of details about authoritative versus recursive, versus caching DNS servers and the role of the localhosts file. But all the concepts I will discuss are accurate. Here are a few ways that DNS can become a vulnerability to your enterprise:
- DNS caches can be “poisoned.” The DNS cache can be corrupted to misdirect queries to incorrect sites. In this case, a user types www.example.com in his browser, but since the DNS cache was corrupted, he gets sent to www.reallybadsite.com instead.
- DNS can be used for typo cons and domain squatting. These attacks use domain names that appear similar to a valid domain name, hoping users won’t notice. For example www.1inkedin.com. Also common is using a legitimate domain name, but adding an extra character or word.
- DNS can be used in phishing attacks. Any attempt to lure a user to a malicious site can combine the typo con/domain squatting method described above to make the user believe they’re going to a proper site. It’s also common to mask a malicious domain or IP address behind a trusted domain address. These are easy enough to spot – hover over any website domain address before clicking on it and see where the hyperlink resolves. The link and text should be the same – or at least it should take you to the domain that you expected!
- DNS can be leveraged for Command and Control (C2) malware. DNS is used in many forms of malware, as most have some type of “call home” function to advise that the malware is in place.
- DNS doesn’t discriminate. Users don’t always know that a site is malicious and neither does DNS. A user may visit a “rogue” site intentionally, often in conjunction with a phishing attack, a “free” offer or another compelling link. This can might be accomplished by setting up a malicious site with a helpful sounding name (e.g. www.reallyhelpfulsitehere.com).
These types of attacks are focused on the end users, but there are also attacks directed against the DNS infrastructure which can result in a Dedicated Denial of Service (DDoS) attack among others. This has potentially devastating consequences: If DNS services are broken or unavailable, this effectively shuts down the entire network for affected users.
In Part Two of my article, we will take a look at a potential solution to these challenges: A Secure DNS that acts as an umbrella to protect places, spaces and devices from threats via the DNS services.