Attacks related to Domain Name System (DNS) infrastructure have been on the rise and most organizations aren’t prepared for the onslaught. In fact, a recent report by Enterprise Management Associates (EMA) found that less than 31% of organizations are confident in their DNS security.
DNS is a component of many different cyberattacks, including ransomware, DNS-based distributed denial of service (DDoS) and DNS tunneling. In that same EMA survey, DNS tunneling was cited as the second-biggest concern organizations had when it came to the security of their DNS infrastructure.
So, why is this so popular? And what can security leaders do to stop it?
The truth about DNS tunneling
Essentially, DNS tunneling is a methodology that encodes the data of other programs or protocols in DNS queries or responses. When used maliciously, it allows bad actors to establish a command-and-control channel to a victim’s computer and circumvent traditional digital defenses such as firewalls. In many cases, it’s possible to configure a firewall rule to detect DNS tunneling activity, but this is complicated and yields varying degrees of effectiveness, and it’s not typically done.
While tunneling is an older technique, it’s still popular for the primary reason that most people aren’t actively monitoring DNS. As an attack method, it’s been used for over a decade, but it’s grown in popularity within the past several years. That’s not terribly surprising considering that bad actors are almost always going to choose the simplest technique with the greatest track record of success. They’ll stick to the low-hanging fruit because it is simple, fast and reliable. Once it stops working, they will move on to the next low-hanging attack type. The shift to DNS abuse attacks, including DNS tunneling, were likely a response to the desire for simple and reliable results.
Even in a situation where you have a protective DNS solution that is blocking threats and responding, most organizations aren't always looking at Port 53 as thoroughly as they should. And monitoring can slow web performance, which creates user satisfaction issues, as well as an avalanche of potential false positives.
DNS is an old, reliable system that was never designed with security as a priority in the first place. There are inherent weaknesses that make it an easy attack vector with a low cost of entry and a higher rate of return. Generative AI and machine learning are likely helping lower the barrier to entry, since bad actors no longer have to write the code themselves or have the technical know-how; they get help from these technologies. In the future machine learning will also aid in the prevention and detection of such attacks. So, for now, DNS attacks — including tunneling — are here to stay. The good news? There are ways to keep your organization protected from such attacks.
Why monitoring is crucial
As mentioned, many organizations aren’t monitoring their DNS traffic; they’re not locking it down at all. They’re not setting their firewalls, segmenting their networks or even following the best practices for network configurations. Organizations are often scared to use encrypted DNS for fear of breaking their internet access or slowing load times to unacceptable levels.
Monitoring is the key to overcoming the assault on DNS. For example, security leaders will be able to see if bad actors are exfiltrating a number of huge DNS requests that are maxing out and they’re chained right behind each other, all going to the same place. Similarly, if security leaders start seeing strange sizes or characters on the end of what looks like a normal domain, or even in the middle, they’ll know it’s time to investigate.
Best practices for bolstering DNS security
While the first step in increasing DNS security is to set up established monitoring on the DNS protocol, zero trust architecture is the next step. This framework can do a great job of mitigating risks like DNS tunneling. While it doesn’t keep information from being shared, it does keep the information from being passed internally. So, if you have a Zero Trust architecture and a number of web-facing assets, if they're not talking to all your password managers, the password managers aren't going to be sharing that information because they don't have the access.
Next, put a process or solution in place for protecting against this particular style of attack. A protective DNS solution is one form of security; implementing something like DNS encryption tools would be another.
It’s important to be able to conduct behavior monitoring, looking at things like:
- What’s your standard domain name length?
- What are your user’s normal times for DNS traffic?
- Are you seeing many requests to the same domain or IP address in a very short period?
- Does a request generate a series of maximum-length DNS queries or trigger download requests?
- Does a logs review reveal multiple domain names that are very similar and that begin like normal words but finish in strings that look like a cat walked over the keyboard?
Make life hard for attackers
DNS can be used in many different types of attacks, not just tunneling, and it can’t be overlooked when shaping a security strategy. While DNS monitoring isn’t a complete security solution, not having this in place constitutes a huge gap in an organization’s network defenses and ability to investigate. Use the above best practices to review and adjust the security plan to move this low-hanging fruit out of attackers’ reach.