Why securing the DNS layer is crucial to fight cyber crime

Domain name system security is often overlooked by organisations, but focusing on this layer could actually improve the effectiveness of cyber security strategies. We explore the latest DNS trends and best practice

This article can also be found in the Premium Editorial Download: Computer Weekly: Using digital twins to cut costs and improve safety at Shell

Over the past few years, domain name system (DNS) attacks have emerged as one of the most common and dangerous cyber security threats faced by businesses. Research conducted by EfficientIP shows that 79% of organisations were impacted by a DNS attack last year, costing them an average of $924,000 (£782,000). 

As businesses continue to digitally transform and the interconnected ecosystem on which they depend expands, these attacks will only become more frequent and more damaging. It is therefore paramount that firms take steps to secure the DNS layer. Doing so will also enable them to identify, mitigate and prevent cyber attacks. But where do they start?

Even though DNS attacks are skyrocketing, experts fear that many organisations are ignoring this and failing to take appropriate steps to protect themselves. Jake Moore, security specialist at ESET, says: “DNS-based cyber attacks are among the most common, but despite this, DNS gateways are often left unprotected. The DNS layer of a network is always on and therefore often overlooked. 

“What can make matters worse is that it is known that some security administrators tend to leave some DNS traffic white-flagged, effectively leaving the door open for malicious actors to easily walk straight in unnoticed.”

With cyber criminals launching more sophisticated DNS attacks, ill-equipped businesses are put at a big disadvantage and will struggle to respond effectively when targeted. “As attackers evolve their tricks, businesses fail to fully understand the risks and simply do not prioritise DNS security due to a lack of awareness,” says Moore. “DNS is critical to the business and service continuity, which naturally attracts threat actors to target. 

“Moreover, when a business’s DNS gateway is attacked, companies can’t shut down entire businesses due to the repercussions of not functioning, which could result in a loss of even more money. Unless the DNS is flooded, causing a DDoS [distributed denial of service], companies will do what they can to keep business as usual.” 

But what should organisations be doing to prevent and mitigate these attacks? Moore says analysing the behaviour of each user can offer a good representation of what is happening and help businesses to detect threats because the majority of network traffic goes through DNS. “Such threats must, in turn, be surveilled in detail, which can lead to a successful zero-trust strategy,” he says.

Major consequences 

When left insecure, DNS servers can result in devastating consequences for businesses that fall victim to attack. Terry Bishop, solutions architect at RiskIQ, says: “Malicious actors are constantly looking to exploit weak links in target organisations. A vulnerable DNS server would certainly be considered a high-value target, given the variety of directions that could be taken once compromised.

“At RiskIQ, we find most organisations are unaware of about 30% of their external-facing assets. That can be websites, mail servers, remote gateways, and so on. If any of these systems are left unpatched, unmonitored or unmanaged, it presents an opportunity for compromise and further potential exploit, whether that is towards company assets, or other more valuable infrastructure such as DNS servers are dependent on the motives of the attacker and the specifics of the breached environment.”

Kevin Curran, senior member at the Institute of Electrical and Electronics Engineers (IEEE) and professor of cyber security at Ulster University, agrees that DNS attacks can be highly disruptive. In fact, an improperly working DNS layer would effectively break the internet, he says.

Read more about DNS security

If the domain name system was to fail, all the website names that people type would also fail to be converted to their proper IP address equivalent – which is the only way the internet can actually route our requests – and we would not have a functioning internet,” says Curran. “Of course, if people knew the hard-to-remember IP address of a site, they could type that instead, but that is not a realistic scenario.”

However, there are different protocols that can help to mitigate DNS security risks, he says. “The two major updates to DNS have been DNS over TLS [DoT] and DNS over HTTPS [DoH]. These two standards encrypt plaintext DNS traffic to prevent malicious parties, advertisers, ISPs, etc from intercepting the data.”

Curran adds: “DoT uses the same security protocol that HTTPS websites use to encrypt and authenticate. It adds TLS encryption over the user datagram protocol [UDP], thus ensuring that DNS requests and responses are not modified or forged through on-path attacks. DoH again uses encryption, but DNS messages are sent using the HTTP or HTTP/2 protocols. DoH traffic resembles normal HTTPS traffic if examined with a packet analyser.”

Curran says there is debate about the best method, however. “Some argue that DoT is better from a network security standpoint as network admins can monitor and block DNS queries, such as malicious traffic,” he says. “DoH queries, however, are concealed in regular HTTPS traffic, so they cannot be blocked as easily without blocking other HTTPS traffic too. DoH does provide more privacy. However, as DNS queries are hidden within the HTTPS traffic, this is crucial to many.”

Preparing for DNS attacks 

When it comes to identifying and mitigating cyber attacks, the DNS layer offers a great deal of insight. Mark Fieldhouse, Europe, Middle East and Africa (EMEA) general manager at NS1, says: “Integrating DNS with monitoring and reporting systems gives visibility into application and network traffic, so that companies can more easily observe DNS configuration changes and shifting traffic patterns, which will reveal key indicators of compromise. DNS can also provide net fencing to prevent sites from receiving traffic from suspicious countries, regions or domains. 

“Leveraging an always-on, redundant anycast DNS network ensures resilience and minimises the impact of attacks by dynamically routing traffic around compromised resources to prevent downtime. Enabling DNSSEC protects the integrity of DNS records by having them digitally signed and verified, which ensures users are not receiving fake information injected by attackers.”

Fieldhouse says DNS, DHCP and IP address management (DDI) is crucial to a zero-trust approach. “DNS traffic can be routed seamlessly, and blocked, depending on specific criteria, to protect company data from threats,” he says. “DDI solutions integrate with the vast majority of applications that organisations use to function, which ensures uniform control. 

“The external DNS needs just as much protection as the internal network”
Mark Fieldhouse, NS1

“It is also important to note that while zero-trust security guards against internal data breaches, DNS attacks can be just as destructive, so the external DNS needs just as much protection as the internal network.”

Venu Vissamsetty, vice-president of security research at Attivo Networks, recommends a layered defence approach comprising DNS monitoring and filtering, endpoint protection, endpoint data cloaking and access controls. This is particularly useful for tackling ransomware attacks, he says. 

“After the initial infection, ransomware initiates DNS lookups to contact C&C [command and control] and download additional payloads,” says Vissamsetty. “DNS filtering and blocking can potentially stop ransomware attacks at the initial payload stage. Targeted attacks can evade DNS filtering, so it is recommended to have zero-trust data access controls to prevent and minimise the impact of ransomware.”

Applying new techniques to DNS

As digital transformation increases, businesses can use DNS as an effective cyber defence tool, according to Steve Forbes, government cyber security expert at Nominet, who says every communication between a company’s network and the wider world is logged in the DNS traffic.

“This means that if an attacker does gain access, communication between the malware and the command and control centre, for example, is highly likely to be in that DNS traffic,” says Forbes. “With the advancements in AI [artificial intelligence] and machine learning – which can detect patterns in the source, destination and characteristic of network traffic – it has become easier to detect this potentially malicious traffic at a much earlier point than before.

“This gives security teams the time to effectively deal with any attacks by giving early warning indicators, reducing the time to remediate the threat.”

Forbes says that applying new techniques to DNS enables businesses to identify normal behaviour on a network, as well as unusual or suspicious behaviour that could indicate a cyber attack. 

“Companies can use information from their DNS servers to detect new attacks”
John Graham-Cumming, Cloudflare

“This leads to blocking potentially malicious actors from gaining access and highlighting insider threat, while also reducing the number of false positives and workload for security workers to process,” he says. “Finally, because DNS covers the whole of the company’s network, it scales well and will go on protecting you as digital transformation causes your attack surface area to expand.”

John Graham-Cumming, CTO at Cloudflare, says there are a number of things that businesses can do when it comes to DNS-based security. “Firstly, you need to protect DNS infrastructure from the basic attacks, like DDoS, that can be used against anything on the internet,” he says. “Then you should ensure that, like any other piece of software, the DNS servers are up to date and patched. With these in place, companies can use information from their DNS servers to detect new attacks.

“By feeding corporate DNS log data into an analysis tool, it is possible to spot unusual behaviour, which might indicate malware, from a corporate device. By provisioning the DNS server as something each corporate device uses, it is also possible to control, at the DNS level, what internet resources a user or machine can access, and block well-known malware or phishing.”

DNS security is often overlooked by organisations, but with more and more cyber attacks targeted at businesses, it is an area of great importance. Securing the DNS layer will not only protect it, but will also allow businesses to detect and fight cyber attacks before serious damage is done.

Read more on Network security management