Network Security
Vulnerability Management
Privileged Access Management
Endpoint Security
Threat Hunting
Unified Endpoint Management
Email & Collaboration Security
Contents:
The cybersecurity solution of the future must be proactive and holistic, designed to face the most modern forms of attack. This is what we here at Heimdal are devoted to achieving through our endpoint protection, detection, and response suite with a strong DNS Security component.
Key Takeaways:
- What is DNS;
- An Overview of risks associated with the DNS;
- What Is DNS Security, and how you can improve it.
What is DNS?
The Domain Name System, or DNS for short, is a naming system used to identify devices,
services, and other resources that are reachable over the Internet or across its protocol networks. It is commonly referred to as the phonebook of the Internet since it translates human-friendly domain names into machine-readable IP addresses.
The DNS is both hierarchical and decentralized, which means that its lower-level components use local information to accomplish global goals.
For example, when you type in www.company.com in your browser’s search bar, the DNS will convert this alphabetic domain name into the IP address it returns, which could be something like 204.0.8.51 in IPv4 or 2001:0db8:0000:0000:0000:ff00:0042:7879 in IPv6.
This process happens in the background, while you are waiting for your query to be returned and the webpage to load. Nowadays, it happens almost automatically, but it wasn’t always like that. Let’s dive into the history of the DNS and see how the Internet as we know it today came to be.
The History of the DNS
The roots of the DNS can be traced back to the ARPANET, which stands for Advanced Research Projects Agency Network, a project initiated by American Internet pioneer Bob Taylor in 1966.
By 1969, the first computers were already connected to the infrastructure, and the Network Control Program was subsequently implemented in 1970. Further development followed in the years to come.
But how did it all work? How were devices assigned addresses and how did queries get fulfilled on the Internet’s predecessor? Initially, the ARPANET used to hold names to address translations in a single table located within a document known as HOSTS.TXT.
The first ARPANET directory was developed and managed by American in-formation scientist Elizabeth J. Feinler as part of her duties at the Augmentation Research Center (ARC) within the Stanford Research Institute (now called SRI International).
She was recruited for the position in 1972 and then created the simple text file for hostnames in 1974.
This was revised several times over the years. Addresses were assigned manually through this document and their numerical counterparts were managed by American computer scientist Jon Postel, who was working for the University of Southern California’s Information Sciences Institute (ISI).
Once the 1980s rolled around and an increasing number of machines were going online, Postel found that manually managing the addresses had become unwieldy and difficult. He received five competing solutions to this issue, and he directed the task of finding a middle ground between them to American computer scientist Paul Mockapetris.
In 1983, Mockapetris proposed a new framework that involved a dynamic and distributed system known as the Domain Name System. This would lead him to become a true Internet pioneer and one of the founding fathers of the Web as we know it today.
The first specifications regarding the DNS, RFC 882, and RFC 883 were published the same year by what would soon become the Internet Engineering Task Force (IETF).
Following the official creation of IETF in 1986, the DNS turned into one of the first Internet Standards. What is more, the original standards published in 1983 were superseded by RFC 1034 and RFC 1035.
Instead of merely looking up hostnames, the DNS now provided readily recognizable IP address names, enabling the Web to become more convenient for regular usage. Without it, the Internet as we know it today wouldn’t exist.
The Structure of the DNS
In the definition of the Domain Name System, the author has described this infrastructure as ‘both hierarchical and decentralized’. But what does this mean more exactly?
These two concepts are essential to understanding the structure of the DNS, so let’s dive into them.
The DNS Is Hierarchical
The hierarchical nature of the DNS is represented by the three levels of domains found within it, all originating from the root zone server. Together, they form the web address you type in your browser’s search bar. Simply put, the human-readable domain names you see on the Internet consist of three separate domain components.
These layers are known as top-level domains, second-level domains, and third-level domains.
But while you might be tempted to associate this numerical classification with their order within the address, the system is actually the other way around. Top-level domains, or TLDs for short, are the extensions you see at the end of a web address. The most popular TLDs out there are:
- .com;
- .org;
- .net;
- .edu;
- .gov;
- .de;
- .us;
- and so on.
First top-level domain
The first top-level domain recorded in Internet history was .arpa, which aided the transition from the ARPANET to the World Wide Web as we know it today. However, as the years have passed, more and more TLDs have been introduced to keep up with the ever-expanding nature of our online world.
Top-level domains are installed directly on the root zone server, hence their high place in the hierarchy of the DNS. However, they are usually quite non-descriptive of the destination as long as the human eye and mind can.
Second-level domain
Known as SLD or 2LD for short, the second-level domain layer usually consists of the organization or website name. For example, in the case of facebook.com, ‘Facebook’ is the SLD that is also evocative of the online destination the user is trying to reach. However, SLDs can be more than just the name associated with the webpage.
By definition, second-level domains are represented by any domain sitting directly underneath the TLD in the hierarchy of the DNS. Country code domains such as .co.uk or gov.au are also considered second-level domains attached to the top-level.
Organization can register their SLD under any valid TLD, which is why there is much more variety when it comes to this layer in the Domain Name System.
Third-level domain
Finally, the third-level domain is the first component you see when looking at a web address. The most common example is the www. in queries such as www.facebook.com or www.google.com.
In the background, organizations use this layer to direct queries toward particular servers in their employ. For instance, when www. becomes overly visited, websites might appear to you with ww2. extension that routes traffic to a lesser-used server that can support it. Extensions such as support. or mail. also classify as third-level domains.
For example, the page support.google.com directs you to Google’s help center, which is independently hosted from its main platform. The same goes for mail.google.com, which is the address for the company’s email service, Gmail.
Just like top-level domains, third-level domains are not required to be unique. This is why both mail.google.com and mail.yahoo.com can co-exist. The only component of a domain name that needs to be unique is the second-level domain.
Before moving onto the decentralized nature of the DNS, let us address the starting point of it all as well – the root zone server. The above diagram marks the root as a singular point in the DNS, consisting of 13 servers that are managed by 12 independent operators appointed by the Internet Corporation for Assigned Names and Numbers (ICANN).
Currently, the world’s 13 root servers that comprise the DNS root zone are operated by private companies, universities, and government entities. The majority of these stakeholders are located in the United States of America, but the servers are spread out and operate globally. You can see a complete list HERE.
The DNS Is Decentralized
Even though root servers are managed under the watchful eye of the same organization, namely ICANN, the structure of the DNS also allows it to be decentralized. This is made possible by the fact that each second-level domain operator provides the nameservers for its page without the need for a single party to oversee the process.
Every SLD has a subset of nameservers that are used in the IP resolution process and are specific to that second-level domain. Therefore, the TLD does not require access to this operation and each party has specific access to the functionality as a result.
Taking the examples in the figure from the previous section, Google manages its nameservers that provide finality to the resolution process. However, an organization doesn’t need to have proprietary nameservers to run a website. There are plenty of third-party services out there that outsource this functionality, with the most popular example being Cloudflare.
By their powers combined, the hierarchy and decentralization of the Domain Name System are what make the infrastructure easily scalable and adaptable. While the scheme might seem simple enough with its mere 13 root servers running the entire operation, the DNS supports a total of approximately 5.3 billion Internet users regularly.
These over five billion users make at least 65 trillion DNS queries every month, according to Cloudflare, a DNS server company serving roughly 15% of all the websites that exist online today. Therefore, to say that the Domain Name System is a huge part of our collective daily lives might sound like a generalization, but it is 100% true.
How Secure Is the DNS?
In the best-case scenario, whenever you type in a domain name (which is translated into an IP address), you will end up on your desired website. This is commonly the case, however, a simple DNS query might not always turn out as planned, which means that a secure DNS service can’t always be guaranteed.
In fact, it’s not news anymore that many DNS threats are often encountered in the wild.
Why is DNS insecure? The answer is simple. First of all, back when the DNS was invented, security threats were not prevailing, as is now the case. During those times, we were dealing with a much smaller and much more secure environment. However, the more magnitude and availability increased, the more promising it started to look in the eyes of malicious actors.
Secondly, throughout time, multiple additions were made to the infrastructure of the DNS – and sometimes, perhaps without much circumspection. These aspects have contributed to the lack of security of the DNS. Thus, it should come as no surprise that a myriad of DNS threats is now endangering companies large and small and regular consumers alike.
In fact, over a third of all cyberattacks are deployed via the DNS. The most attacked industries were Computer Software, Gambling & Casinos, and Gaming. Telecommunications and Media outlets came in fourth and fifth, respectively. Overall, the largest attack we witnessed in this campaign peaked at 1.7 million requests per second (rps) and the average was 65,000 rps.
Yet, ensuring DNS security is important for the digital identity of any business, as well as for maintaining the security and integrity of its internal applications. DNS threats are to be taken seriously and addressed properly as they are becoming more common, complex, and costly.
Types of DNS Attacks
As previously established, the DNS is responsible for the Internet as it functions today. Its infrastructure lies at the base of every digital interaction that takes place on any given day, which is why it can be involved in a variety of cyberattacks, both directly and indirectly. Zero-day exploits, bot attacks and man-in-the-middle attacks are just a few examples of the latter.
However, due to the theme of this eBook, this section will mostly focus on the former with a brief overview of the latter, namely cyberattacks in which the Domain Name System always plays a central part. There are two main types of incidents to consider in this category:
- Denial-of-service;
- DNS hijacking.
While the approach differs for each of the two, they have one major aspect in common – the direct employment of the DNS to fulfill nefarious purposes. Let’s have a look at each one and go over how they work.
Denial-of-service (DoS and DDoS)
A denial-of-service (DoS) attack is a type of cyberattack that aims to temporarily or indeterminately disrupt the services of a host that is connected to a network. Perpetrators usually achieve this by flooding the target, which is usually a website, with redundant DNS requests, thus attempting to prevent legitimate queries from going through.
In the case of a distributed denial-of-service (DDoS) attack, the source of this superfluous traffic has multiple points of origin instead of an individual one.
A pertinent way to illustrate what a DDoS attack might look like for a webpage is by drawing a parallel to a physical store. In a real-life scenario, multiple ill-intended third parties are crowding the establishment’s doorway and therefore preventing legitimate patrons from walking. This disrupts trade and is harmful to the store’s reputation and financial stability.
While websites are the most common marks of a DoS or DDoS attack, other types of hosted services such as banking or payment gateways are often targeted as well. The reasoning behind these operations can pertain to a multitude of categories, which include but are not limited to blackmail, revenge, activism, or fraud.
There are two main goals behind denial-of-service incidents: either flooding a service or crashing it entirely. The distributed variant is the most damaging, as it uses the addresses of multiple malware-infected hosts to carry out the attack. These hosts are usually zombie computers or mobile devices that are part of a larger botnet of compromised machines.
In addition to this, some cybercriminals go as far as to target the application layer with their DDoS attacks. For those unfamiliar with the OSI model, the application layer is at the base of digital communication standardization.
It contains application programming interfaces (APIs), which are essential in connecting either one computer to the other in a network, or various computer programs amongst themselves.
What this subtype of a DDoS attack does is overexert specific functions in a website to disable them. This approach is often used by hackers to distract IT administrators and security teams from a larger-scale security breach.
What makes DDoS attacks even more nefarious is the fact that the shift to a remote workforce brought upon by the COVID-19 pandemic made them one of the most prevalent threats out there.
Fortunately, denial-of-service and distributed denial-of-service are simple to recognize because they visibly disable the functioning of a website or service. Here are a few telltale signs of a DDoS attack:
- Uncharacteristically slow network performance;
- Inability to open files or a particular website;
- Inability to open any website;
- Unavailability of a particular website.
DNS Hijacking
DNS hijacking is a type of cyberattack in which the perpetrator subverts the resolution of a query, resulting in a malicious rerouting to a corrupted server under their control. In this way, hackers can direct users to an infected website without them realizing it right away. It is also known as DNS poisoning or DNS redirection.
In addition to subversion, a DNS hijacking operation can also consist of modifying the behavior of a trusted DNS server. This is not only done by cybercriminals to carry out phishing campaigns, but it can also come from a legitimate source such as your Internet service provider (ISP). ISPs do this to collect data for statistics, display ads, and self-serving other purposes.
ISPs do this to collect data for statistics, display ads, and self-serving other purposes. What is more, DNS service providers might also hijack traffic as a form of censorship to block access to certain pages.
A few examples of ISPs that resort to DNS hijacking for self-serving purposes are AT&T, Verizon, Sprint, and Deutsche Telekom. In addition to this, two Dutch ISPs known as XS4ALL and Ziggo apply this practice to block users’ access to The Pirate Bay, an infamous torrenting platform where users can download licensed media and other materials illegally and free of any charge.
While the practice of “ethical” DNS hijacking is widespread among ISPs and other legitimate entities, it also happens to violate the RFC standard for DNS responses and leaves websites open to attacks.
For this reason, countries such as the United Kingdom have settled that the practices stand in direct opposition to relevant regulations such as the Privacy and Electronic Communications Regulations 2003 (PECR).
Other DNS Attacks
While attacks such as DNS hijacking or denial-of-service are inherently dependent on the Domain Name System as a medium for cybercrime perpetration, there are other types of attacks out there that can either employ it as a tool or are themselves tools used by hackers to penetrate the DNS.
Nevertheless, these incidents do not rely on them entirely, which is why the author has created a separate category to illustrate them.
Below, you will find a brief overview of three types of attacks that can involve the DNS but are not necessarily compelled to by their nature. These are the most common instances and can better illustrate the complexity of the issue, but the list does not start nor end with them.
Man-in-the-middle attacks
This is a form of active eavesdropping that occurs when a malicious actor intercepts and tampers with data sent between two or more parties. This type of attack can be done in various ways, but the most common way is to trick a victim’s web browser into making an HTTP request to a URL controlled by the attacker.
There are many ways to accomplish this, including by manipulating the DNS. The attacker then intercepts all traffic from that connection, including any requests for web pages, images, scripts, or other files from any website.
Zero-day attacks
It is a type of cyberattack that exploits a vulnerability that has not been patched. It is the most serious type of cyberattack as it takes advantage of a security hole before the vendor has had time to release a patch for it.
The term “zero-day” comes from the fact that there have been zero days between the discovery of the vulnerability and exploitation. Naturally, the exploited vulnerability can be a DNS-level flaw as well.
Unfortunately, this is another type of attack that has become increasingly popular in the wake of the COVID-19 pandemic.
Bot attacks
It is a type of cyberattack in which a large number of compromised systems, typically infected with malware, are controlled as a coordinated group to mount large-scale attacks against targets. These corrupted devices are known as zombie computers or bots, and together they form a botnet.
Botnets are generally used to launch DDoS attacks, but also for email phishing, fraud, and a myriad of other cybercrimes.
Man-in-the-middle attacks, zero-day exploits, or botnets are in turn often used to carry out
phishing campaigns or data exfiltration operations that aim to further bring profit to the
cybercriminals behind the incident.
The web of cyberattacks is an intricate one, mainly because they are a package deal. Nonetheless, the DNS is frequently their point of origin, which is why securing it is essential to the digital well-being of any organization.
DNS Attack Methods
There is a clear difference between DNS attack types and DNS attack methods. While the former, which has been discussed at length in the previous section, refers to the concrete incident and its outcome, the latter encompasses the tools needed to get there.
Therefore, in this subsection, we will dive deeper into the techniques perpetrators use to manipulate the Domain Name System to suit their reprehensible purposes. In the following lines, you will find an overview of the below DNS attack methods:
- DNS spoofing;
- DNS tunneling;
- DNS rebinding;
- DNS amplification;
- DNS typosquatting;
- DNS sinkhole;
- UDP flooding;
- SYN flooding.
How many cybercriminals infiltrate the legitimate realm of the DNS and mold it according to their malicious agenda many, but these are some widespread examples that will help you better understand what goes on behind such an attack.
DNS Spoofing
Also known as DNS cache poisoning, DNS spoofing is a technique where cybercriminals manipulate your internet connection so that you are not connected to the website you want to visit but rather a fake one created by them.
An attack based on DNS spoofing occurs when a person or entity makes a request to the Domain Name System for a website, which is answered by the DNS server with an incorrect IP address. This is how perpetrators manage to hijack the DNS as described in the previous section.
Both BIND and Microsoft Windows Server are susceptible to DNS spoofing. A hacker could find out which domain you are trying to access, read your request, and send you information that makes you believe you are accessing the real site.
In reality, you would be directed towards a decoy of their creation that is potentially malware-ridden. It is not just websites that can be attacked in this way though. Hackers can also use this technique on e-mail accounts and other personal information.
DNS Tunneling
DNS tunneling is a process in which network traffic passes through the Domain Name System to create an alternative path for data to travel. This can be done for many purposes including bypassing network filters and firewalls. The Domain Name System is a system that translates domain names into IP addresses.
When DNS tunneling is enabled, a user’s connection will route their internet traffic through a remote server to get access to websites that are blocked by region or country. Simply put, this is what a virtual private network (VPN) can do for you, as DNS tunneling is not inherently malicious.
Unfortunately, hackers often leverage this process for their wicked purposes. In a malicious context, DNS tunneling is an attack method where data is sent through DNS requests. This can be used to create covert channels for transmitting data over a network that would not typically allow the traffic or spoof content without detection by filtering or firewalls.
DNS Rebinding
DNS rebinding is a cyberattack technique that takes advantage of the long-standing nature of browser caching to trick a victim’s browser into contacting a malicious site when it types in a domain name.
The attack does not require any form of authentication and can be conducted through any internet-connected device, including smartphones. To disrupt the cache, the victim must either use an incognito browser window or disable browsing history.
The attacker uses this vulnerability to redirect a request for a domain name from the victim’s browser to another server that hosts malicious content. It is also used to hijack social media accounts by changing the victim’s account URL, which will make all requests for this account go through the attacker’s server.
An example of DNS rebinding would be if you were using your computer at home and wanted to view your bank website, you might type in ‘www.mybankname.com’ into your browser address bar, but instead of going to your bank website, it goes somewhere else because someone else has hijacked it with DNS rebinding.
DNS Amplification
DNS amplification is a method used in DoS attacks to exploit the Domain Name System and amplify traffic to target servers.
This attack method is also called DNS reflection or address forgery. To carry it out, the perpetrator sends spoofed IP packets to a Domain Name System server with requests for the same domain name as the target, but with IP addresses of the target instead of his own.
The Domain Name System server returns all these requests to the target computer’s IP address. The victim’s server then responds to each request by sending out an identical response. This causes massive volumes of data traffic on port 80 or 25 coming from the victim’s network.
DNS Typosquatting
UDP flooding is a method used as part of denial-of-service attacks in which the attacker sends large numbers of UDP packets in an attempt to exhaust the target’s system resources. The use of UDP in this way is in contrast to another type of DoS attack, TCP SYN flooding, which sends TCP packets.
While TCP uses a three-way handshake when establishing a connection, UDP does not require an acknowledgment from the receiving host. This means that an attacker can send packets at high rates without exhausting their resources.
For clarification, the User Datagram Protocol (UDP) is a connectionless protocol for transmitting packets over an IP network. This protocol is simple and has few features making it ideal for exchanging small amounts of data such as video and audio, especially over congested networks.
SYN Flooding
SYN flooding is a denial of service attack method. An SYN packet is sent to the server, but the ACK packet is not received. This causes the connection to be closed by the server after a timeout.
The attacker then sends another SYN packet, which will cause that connection to be closed as well. This results in the server being unable to serve any more requests because its resources are completely tied up on closing connections.
An SYN packet is a type of Internet Protocol packet. It is the first packet in the TCP three-way handshake process, which establishes a connection between two hosts. The SYN bit is set in the packet header, to indicate that this segment contains a request for synchronization with the recipient.
The ACK bit indicates whether or not this segment acknowledges receipt of data from an earlier transmission to the recipient by the sender. The RST bit may be set to indicate that this segment requests the cancellation of received data from an earlier transmission by the sender.
DNS Attack Tools
In the segment dedicated to denial-of-service attacks, we have delved into what goes on behind the scenes when this type of threat is involved. However, DNS attacks that target businesses are usually a multi-step operation, as clarified in the previous sections, and they start with the hijacking of a previously legitimate domain.
Cybercriminals then infect the hijacked websites with various malicious extensions, malware being the most popular due to its widespread popularity.
In 2023 alone, Heimdal DNS Security – Endpoint blocked nearly 9.7 million malicious domains, 5 million of which contained malware. Command & control servers that led to device botnet enslavement were also high on the list, as were phishing attempts. Lower on the list but still in the over 100,000 infections range were exploits and typosquatting domains.
Ransomware, adware, APTs, viruses, and worms were also present among domain infections blocked by our DNS Security product in 2023, but they ranked a lot lower. None of their numbers exceeded 8,300 attempts, which is still considerable, but not nearly as popular as run-of-the-mill malware.
What is DNS Security?
As its name implies, DNS security refers to the set of practices employed by an individual or an organization to prevent attacks that are either at the level of the Domain Name System or facilitated by it. As mentioned in a preceding chapter, the DNS was simply not built with security in mind because cyberattacks that exploited it were not common in the 1980s.
Nevertheless, the entities in charge of administering this infrastructure soon realized the dangers it posed, and thus, Domain Name System Security Extensions were created. This was the world’s response to an ever-increasing pool of cyber threats that aimed to exploit this vulnerable system as much as possible.
DNS Security Components
In this subchapter, we will discuss traditional DNS security components such as DNSSEC, response policy zones, and demilitarized zones, as well as additional measures you can take to improve your enterprise DNS security.
As always, what is standard must be enhanced on our own accord with appropriate solutions and policies that complement it. In this chapter, you will learn how to achieve just that and take a proactive stance against DNS hijacking, DDoS, and other such attacks.
DNSSEC
As hackers started learning new and cunning ways to exploit this then-new infrastructure, the need arose for more robust protection at the level of the Domain Name System. This is how Domain Name System Security Extensions were created, or DNSSEC for short.
As a consequence, the Internet Engineering Task Force (IETF) released the first Request for Comments (RFC) about DNSSEC in 1997. This RFC and the subsequent ones released on the same topic are specifications that help protect the DNS against a variety of intrusions.
Because DNS queries are not inherently secured and the parties involved in query resolution are always susceptible to one or more types of attacks, these solutions were designed as add-ons or extensions.
DNSSEC ensures the security and confidentiality of data, which is an aspect that is not normally handled through DNS. Thus, these extensions serve as a cornerstone for digital trust and prevent DNS attacks such as the denial-of-service and hijacking explained previously.
Through signature checking, a DNSSEC resolver can verify if the data that came from a valid server is identical to the data on the authoritative DNS server. This is made possible by the fact that DNSSEC servers digitally sign all server answers. If this is not the case, the request will be denied.
Types of DNS Security Extensions
Just like most things digital, DNSSEC comes in many shapes and sizes that follow the purposes that they serve. Therefore, we need to have a look at the different types to better understand how these add-ons work at the level of your endpoints and network. Some of the most common DNS security extensions are:
Cryptographic authentication of DNS data
It is usually performed with a symmetric key since it consumes fewer network resources as compared to using asymmetric cartography.
Authenticated DoE (Denial of Existence)
This procedure allows the DNS resolver to tell whether or not a domain exists. At the same time, it can confirm that the yet-to-be-resolved domain does, indeed, exist.
Data integrity and authentication
DNS Security Extensions ensure authentication by binding crypto-generated digital signatures to the corresponding Domain Name Systems RRsets. As explained by Microsoft’s DNS documentation, RR (resource records) are the “building blocks of host-name and IP information and are used to resolve all DNS queries”.
RRs come in various shapes and sizes: MicrosoftDNS_MBType for mailbox records, MicrosoftDNS_AType, used for name-to-address-mapping, and MicrosoftDNS_MFT Type (mail forwarding agent for the domain record). These are just a few RR types, but there are plenty more where they came from.
Furthermore, DNNSEC also covers origin authentication, providing an extra security boost. Why? Because crypto-generated digital signatures can put the servers and resolvers at ease, knowing that the data came from a trusted source.
Response Policy Zones
If you have been doing some research on DNS security, then you might have seen the term response policy zones (RPZs) being mentioned a lot – not to be confused with DMZs (demilitarized zones), which will be discussed in the following subsection.
A way to protect your recursive DNS server, putting in place RPZs means laying down a set of rules regarding what your DNS queries can look and cannot look when interrogating a recursive DNS server. The benefit of this practice in the context of DNS security is that they are very useful in decreasing the chances of querying domain names that could be linked to malicious servers.
Demilitarized Zones
The term demilitarized zone in the context of computer security refers to the logical or physical subnet that separates LAN from potentially untrusted networks. A DMZ is a buffer network that sits between a private and public network. The DMZ provides a layer of protection for the private network by screening all incoming and outgoing traffic.
The purpose of the DMZ is to protect the organization’s internal, or “private”, network from unauthorized access from outside networks, such as the Internet. A DMZ can also be used to provide a layer of protection for an organization’s external, or “public”, network from unauthorized access from inside networks.
DNS Protocol Enhancement
When it comes to DNS-based attacks, DNSSEC should not be your primary line of security. While its security benefits cannot be contested, more sophisticated protocols such as DNS over HTTPS (DoH) and DNS over TPC are available.
All DNS queries transmitted from a browser to a server are encrypted using the DoH protocol, which prevents manmade attacks from getting through encryption measures. DNSSEC has been extended to cover DNS over HTTPS and, although the concept is still in its early stages, the idea is that DNS over HTTPS would enable authenticated queries to be checked by DNSSEC.
DNS over TPC is another protocol that establishes a dead drop for messages and allows encrypted communications between two parties without first establishing a connection. These sorts of security layers provide data privacy to standard DNS connections, meaning that queries conducted on your company’s endpoints are less likely to be intercepted.
How to Improve Your DNS Security
The term DNSSEC, in a nutshell, refers to the methodology used to protect DNS servers, data, and clients from unlawful eavesdropping and data exfiltration.
However, said DNSSEC methodology, even when combined with other traditional security components such as RPZs or DMZs, requires heavy backup from additional DNS protection measures to guard your enterprise and all its digital assets against intrusions performed by malicious third parties.
For example, DNSSEC can detect man-in-the-middle attacks by performing data origin authentication. However, the infrastructure will not prevent these types of attacks. Therefore, DNS security extensions and the other standard components that we discussed above are subsets of DNS security, not a synonym for it.
Endpoint DNS Security
To strengthen your cybersecurity posture when it comes to accessing the Domain Name System, you will need to augment the capabilities of these traditional components with state-of-the-art solutions.
The first step consists of investing in DNS filtering, a simple yet effective line of defense that sifts through the traffic circulating towards and from corporate machines. This is a straightforward way to make sure that no malicious actors pass through unnoticed.
Another important aspect to consider is finding a solution that can operate in unison with any antivirus solution, enhancing its firewall and EDR functionalities with an innovative threat-hunting component that foresees tomorrow’s threats today. In this way, you can achieve cyber-threat prevention and take a proactive stance in your overall DNS security infrastructure.
This is highly important in an area such as the Domain Name System, where most traditional
measures are reactive at best.
Heimdal Security’s answer to this is Threat Prevention, a code-autonomous endpoint DNS threat
hunting system that can detect malicious URLs and processes, then backtrack the attacker’s
sources for full visibility into what is going on behind the scenes in your cybersecurity realm.
With such a tool under your belt, you can gain comprehensive control over your endpoints and
network, all under one accessible interface.
Network DNS Security
Nevertheless, endpoint protection is only the first step towards a truly proactive and progressive cybersecurity posture. While company devices were responsible for most of the traffic going in and out of your corporate network a few years ago, now the reality is different.
Not only did many workplaces embrace the BYOD revolution, but the pandemic also sent most of the digital workforce into remote offices that can be situated anywhere. This raises an unprecedented cybersecurity concern for companies – how do you know who and what connects to your online network perimeter?
Heimdal Security’s DNS Security – Network module simplifies the answer to this question greatly. Offering complete device coverage for mobile phones, tablets, and IoT gadgets alike, our tool logs network activity and keeps an eye out for any suspicious behavior.
In this way, you can add an even more encompassing threat-hunting component to your DNS security, permanently solidifying your defenses and preventing any malicious domains from infecting your system.
Wrapping Up
The Domain Name System is the initial entry point for a wide array of cyberattacks. If left uncovered, this cybersecurity segment can lead to sensitive data exfiltration, financial losses, reputational damages, and other dire consequences.
Thus, it is your responsibility to augment defenses and ensure that your corporate endpoints and network do not fall victim to intricate DNS-based attacks.
Luckily, standard DNS security measures have been put into place over time, such as DNSSEC. By making use of these and adding additional solutions such as Heimdal DNS Security – Endpoint and DNS Security – Network on top, you can achieve the correct stance against cyber attackers trying to exploit the Domain Name System for their nefarious intent.
As with anything, proactive protection is always the best course of action.
With over three years as a SOC Team Lead in the Heimdal MXDR department, Adelina is dedicated to sharing her knowledge and insights through her writing. Her articles and publications provide invaluable guidance on emerging trends, best practices, and effective strategies to combat cyber threats.
