How DNS is Used in Attacks
Some threats include attacks against the DNS infrastructure:
- Distributed Denial of Service (DDoS): DNS infrastructure is essential to the functioning of the Internet. DDoS attacks against DNS can make websites unreachable by making the DNS servers that serve them unavailable by saturating the networks with what looks like legitimate traffic. A classic example of this is the 2016 DDoS attack against Dyn, where an army of bots hosted on Internet connected cameras caused outages to many major websites, including Amazon, Netflix, Spotify, and Twitter.
- DNS DDoS Amplification: DNS uses UDP, a connection-less protocol, for transport which means that an attacker can spoof the source address of a DNS request and have the response sent to an IP address of their choosing. Additionally, DNS responses can be much larger than the corresponding requests. DDoS attackers take advantage of these factors to amplify their attacks by sending a small request to a DNS server and having a massive response transmitted back to the target. This results in a DoS of the target host.
- Other Denial of Service (DoS) Attacks: In addition to network-based DDoS attacks, the applications that run on DNS servers can also be targeted by DoS attacks. These attacks are designed to exploit vulnerabilities in the DNS server applications, making them unable to respond to legitimate requests.
DNS can also be abused and used in cyberattacks. Examples of the abuse of DNS include:
- DNS Hijacking: DNS Hijacking refers to any attack that tricks a user into thinking they are connecting to a legitimate domain while they are actually connected to a malicious domain. This can be accomplished using a compromised or malicious DNS server or by tricking a DNS server into storing incorrect DNS data (an attack called cache poisoning).
- DNS Tunneling: As DNS is a trusted protocol, most organizations allow it to freely enter and leave their networks. Cybercriminals take advantage of DNS for data exfiltration with malware whose DNS requests contain the data being exfiltrated. Since the target DNS server is typically controlled by the owner of the target website, the attackers ensure that the data reaches a server where it can be processed by them, and a response sent in the DNS response packet.
- Security Evasion using Random Domain Names (DGA): Threat actors use sophisticated algorithms to generate hundreds of thousands of brand-new domain names using a Domain Generation Algorithm (DGA). Malware sitting on an infected computer will then use these brand-new domain names to evade detection and connect to the hacker’s external Command and Control server. Traditional security solutions are not fast enough to determine whether these domains are malicious or not, so they simply default to letting them pass through.
The Importance of DNS Security
DNS is an old protocol, and it was built without any integrated security. Several solutions have been developed to help secure DNS, including:
- Reputation Filtering: Like any other Internet user, most malware needs to make DNS requests to find the IP addresses of the sites that it is visiting. Organizations can block or redirect DNS requests to known malicious domains.
- DNS Inspection: The use of DNS for data exfiltration via DNS tunneling or security evasion using Domain Generation Algorithms can also be detected and blocked in real-time by next-generation firewalls (NGFW) that leverage threat intelligence powered by AI Deep Learning engines. This helps to block even sophisticated malware that uses DNS for malware command and control (C2) communications and other attacks.
- Secure the Protocol: DNSSEC is a protocol that includes authentication for DNS responses. Since the authenticated response cannot be spoofed or modified, attackers cannot use DNS to send users to malicious sites.
- Secure the Channel: DNS over TLS (DoT) and DoH (DNS over HTTPS) adds a secure layer to an insecure protocol. This ensures that the requests are encrypted and authenticated, unlike traditional DNS. By using DoH and DoT, a user can ensure the privacy of DNS responses and block eavesdropping on their DNS requests (which reveals the sites that they are visiting).
Analytics, Threat Intelligence and Threat Hunting
Monitoring your DNS traffic can be a rich source of data to your Security Operations Center (SOC) teams as they monitor and analyze your company’s security posture. In addition to monitoring firewalls for DNS Indicators of Compromise (IoC), SOC teams can also be on the lookout for lookalike domains.
Preventing the Malicious Use of the DNS Protocol
Check Point Quantum Next Generation Firewalls detect malicious traffic and DNS tunneling attacks via ThreatCloud AI, its global threat intelligence system. ThreatCloud AI analyzes DNS requests and sends a verdict back to firewalls – to drop or allow the DNS request in real time. This prevents data theft via DNS tunneling and Command and Control communications between an internal infected host and an external C2 server.
We encourage you to ask for a demo of new DNS Security capabilities in Quantum release R81.20 and learn more about the threat analytics and threat hunting capabilities of Check Point Infinity SOC.
