Close
  • Latest News
  • Artificial Intelligence
  • Video
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Artificial Intelligence
  • Video
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cybersecurity
    • Cybersecurity

    New DNS Attacks Make Use of DNSSEC More Critical Than Ever

    Written by

    Wayne Rash
    Published February 26, 2019
    Share
    Facebook
    Twitter
    Linkedin

      eWEEK content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.

      An insidious new series of cyber-attacks that redirect traffic intended for specific websites by changing their DNS records has resulted in the first emergency directive by the Cybersecurity and Infrastructure Security Agency. This directive was followed in February by an alert by ICANN (Internet Corporation for Assigned Names and Numbers) of a growing effort by state-sponsored attackers to compromise the Domain Name System through attacks on top-level domains.

      What this means to you is that the threat actor could change your organization’s DNS entry so that traffic to your internet addresses instead goes elsewhere. This redirection allows the bad actor to examine this traffic in detail, after which it may be copied before being sent back to your organization.

      According to researchers at FireEye, the domain hijacking is being carried out by attackers in Iran. While the focus of most of the attacks appears to be government and commercial interests in the Middle East, attacks elsewhere have been reported. However, CISA believes that the DNS hijacking attacks will continue and be aimed against government and commercial interests in the United States and elsewhere.

      How the Hijacking Works

      The CISA directive lists three steps that allow attackers to perform the hijacking. First, the attacker obtains credentials of an administrator that can change DNS records. This is done using techniques described here before, including phishing emails and social engineering.

      Next, the attacker changes the DNS records, including the address, mail exchanger and name server records, replacing them with addresses controlled by the attacker where traffic aimed at that address can be examined or manipulated.

      Finally, because the attacker has set the DNS record values, they can obtain valid encryption certificates for the domains being attacked, allowing traffic to be decrypted. Because the certificate is valid, users won’t receive any error messages.

      The CISA directive requires government users to take four actions to prevent such hijacking. They are to audit DNS records to verify that they resolve properly, then change DNS account passwords using best practices for passwords, then add multifactor authentication and finally monitor certificate transparency logs.

      ICANN strongly recommends using DNSSEC (DNS Security Extensions), which allows for securely signing the DNS root so that it’s possible to confirm that DNS hijacking hasn’t taken place.

      Kris Beevers, CEO of NS1, says that domain hijacking isn’t limited to government sites. “Enterprises that are potential targets—in particular those that capture or expose user and enterprise data through their applications—should heed this warning by ICANN and should pressure their DNS and registrar vendors to make DNSSEC and other domain security best practices easy to implement and standardized,” he said in an email.

      This is in agreement with a guidance published by CISA, which pointed out that government-contracted cloud services are also at risk, as are other organizations that aren’t part of the government.

       “The current set of attacks are against the integrity of the DNS where they’re seeking to change the results of a DNS query,” Beevers said in a later interview. “They send you to a phishing site instead, for example.”

      To combat this, it’s important that you enable DNS signing using DNSSEC. “This allows cryptographic signing of DNS that proves authentic answers,” Beevers explained.

      Beevers noted that DNSSEC has been around for a while but didn’t gain a lot of traction because it required some significant compromises. “Historically, to sign your domain you must give up a lot of automation,” he said. But he said that this has changed over the last two years, and that it’s now possible to use new technology developed by a few companies including NS1 that allows for automation of DNSSEC. He added that it’s now possible to use DNS signing across multiple DNS zones.

      One problem noted by CISA is that a lot of domain registrars may not be prepared to support DNSSEC. The agency recommended that you apply pressure on those registrars to change, and if they don’t, then find a new domain registrar that will.

      Get Your Security House in Order

      Meanwhile, it’s critical that you make sure that the rest of your security house is in order. This means that you need to protect your domain administration account against attacks. This includes making sure passwords meet complexity and revision standards, using a password manager at the suggestion of CISA.

      It also means training administrators to recognize phishing attempts. Google offers a phishing quiz that can get you started. In addition, training companies such as KnowBe4 offer more advanced training in how to combat phishing, as well as training in other areas of security awareness.

      In addition, you should set up two-factor authentication (2FA) for your administrative accounts using a reliable second factor, such as a security key. Two-factor authentication using SMS messages to a user cell phone isn’t secure enough for something as important as domain administration.

      Finally, Beevers suggests using a single-sign-on method provided by services such as Microsoft’s Active Directory. Such services authenticate logins using a central database that’s protected from tampering. Coupled with other security measures such as 2FA, and your DNS administration should be protected from most attacks.

      If all of this sounds like a lot of work, well it is. But it’s a lot less work than having your DNS hijacked and then trying to figure out how to fix that, once you determine that it’s been done. And with a skilled attacker, you might not know immediately.

      Wayne Rash
      Wayne Rash
      https://www.eweek.com/author/wayne-rash/
      Wayne Rash is a content writer and editor with a 35-year history covering technology. He’s a frequent speaker on business, technology issues and enterprise computing. He is the author of five books, including his most recent, "Politics on the Nets." Rash is a former Executive Editor of eWEEK and a former analyst in the eWEEK Test Center. He was also an analyst in the InfoWorld Test Center and editor of InternetWeek. He's a retired naval officer, a former principal at American Management Systems and a long-time columnist for Byte Magazine.

      Get the Free Newsletter!

      Subscribe to Daily Tech Insider for top news, trends & analysis

      Get the Free Newsletter!

      Subscribe to Daily Tech Insider for top news, trends & analysis

      MOST POPULAR ARTICLES

      Artificial Intelligence

      9 Best AI 3D Generators You Need...

      Sam Rinko - June 25, 2024 0
      AI 3D Generators are powerful tools for many different industries. Discover the best AI 3D Generators, and learn which is best for your specific use case.
      Read more
      Cloud

      RingCentral Expands Its Collaboration Platform

      Zeus Kerravala - November 22, 2023 0
      RingCentral adds AI-enabled contact center and hybrid event products to its suite of collaboration services.
      Read more
      Artificial Intelligence

      8 Best AI Data Analytics Software &...

      Aminu Abdullahi - January 18, 2024 0
      Learn the top AI data analytics software to use. Compare AI data analytics solutions & features to make the best choice for your business.
      Read more
      Latest News

      Zeus Kerravala on Networking: Multicloud, 5G, and...

      James Maguire - December 16, 2022 0
      I spoke with Zeus Kerravala, industry analyst at ZK Research, about the rapid changes in enterprise networking, as tech advances and digital transformation prompt...
      Read more
      Video

      Datadog President Amit Agarwal on Trends in...

      James Maguire - November 11, 2022 0
      I spoke with Amit Agarwal, President of Datadog, about infrastructure observability, from current trends to key challenges to the future of this rapidly growing...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2024 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×