DNS allows a user to type a Uniform Resource Locator (URL) into the browser which sends the user the requested website. In the background, DNS servers are communicating with each other to resolve that URL into an Internet Protocol Address (IP). Sounds good, but what could go wrong?
Attack on DNS
Malicious actors use a DNS to steal sensitive data. On January 9, 2019, FireEye released a report that detailed a campaign of DNS hijacking attacks. The campaign affected dozens of domains belonging to governments, telecommunications companies, and internet infrastructure entities. The three techniques that were used in these attacks were: Altering DNS A records, Altering NS records, and redirecting DNS traffic.
Best Practices to Prevent DNS attacks
As a direct result of these attacks, Emergency Directive 19-01 was issued to outline the mitigation of these attacks.
Password policies. The attacks mentioned were successful due to compromised account credentials. Implementing a stronger password policy that dictates the length of the password, max age, password history, and password complexity will greatly increase the security for all of your systems. For accounts with access to servers, implementing a multi-factor authentication would ramp-up the protection factor. This can be accomplished by pairing a username and password with a bio-metric scanner or a key token.
Audit DNS records. A routine audit of your DNS server should be implemented. This will ensure that no unauthorized changes were made to the DNS records. It is also important to review the Public Certificate Transparency Logs to confirm that all Transport Layer Security (TLS)/ Secure Layer Socket (SSL) certificate were authorized requests.
Updates. Keep all firmware and software secure with the latest updates and patches.
Resources:
Global DNS hijacking campaign: DNS record manipulation at scale; retrieved at fireeye.com
DNS Infrastructure Hijacking Campaign; retrieved at us-cert.gov
Emergency Directive 19-01; retrieved cyber.dhs.gov