Analyze Potential Indicators Associated With : Domain Name Systems (DNS) Attacks – Part 1
Domain Name Server (DNS) is a standard protocol that helps Internet users discover websites using human readable addresses. Like a phonebook which lets you look up the name of a person and discover their number, DNS lets you type the address of a website and automatically discover the Internet Protocol (IP) address for that website.
Without DNS, the Internet would collapse – it would be impossible for people and machines to access Internet servers via the friendly URLs they have come to know.
Uses of DNS
The classic use of DNS is to translate the domain name in a URL into a corresponding IP address. But DNS has many more uses – it underlies many other forms of Internet communication.
If you use any of the above services, you will probably use DNS to communicate with it.
If you own or manage any of the above – for example if you own a website or allow VPN access to your company’s network – you will need to setup DNS in order to allow users to access to your service.
Next-Generation Uses of DNS
DNS has evolved over the past 20 years. Next-generation DNS services such as NS1, which provide advanced traffic routing capabilities, have created new uses for DNS:
Global server load balancing (GSLB) – fast routing of connections between globally distributed data centers
Multi CDN – routing users to the CDN that will provide the best experience
Geographical routing – identifying the physical location of each user and ensuring they are routed to the nearest possible resource
Data center and cloud migration – moving traffic in a controlled manner from on-premise resources to cloud resources
Internet traffic management – reducing network congestion and ensuring traffic flows to the appropriate resource in an optimal manner
Domain hijacking is the act of changing the registration of a domain name without the permission of the original owner, or by abuse of privileges on domain hosting and domain registrar systems.
Domain name hijacking is devastating to the original domain name owner’s business with wide ranging effects including:
Note many countries (and/or customers) will hold your organization responsible for data breaches or data leaks, regardless of whether they result from a cyber attack like domain hijacking or misconfiguration. Domain hijacking is a real cyber threat, preventing it must be part of your cybersecurity efforts.
Before we dive into the details of domain hijacking, it’s helpful to understand how the domain name system (DNS) works and its limitations.
Each top-level domain (TLD) is managed by an organization called a domain name registry, which is appointed by the Internet Corporation for Assigned Names and Numbers (ICANN).
The most popular TLDs are managed by large organizations such as Verisign (.com and .net) or Public Interest Registry (.org).
National domains like .io or .com.us are managed by organizations in their respective countries.
One important thing to understand is registries do not always manage domain name registration. Companies that handle domain registration are called domain name registrars (versus domain name registries) and are usually accredited by registries.
Accredited registrars may then subcontract to non-accredited registrars, increasing third-party risks and fourth-party risks and lengthening the time to resolve potential domain name disputes.
This is because each registrar has its own rules and requirements for proving domain ownership and approving domain transfers.
That said, most TLDS allow anyone to register the domain on one registrar and transfer control of the domain to another registrar (such as from Namecheap to Google domains) for any reason, such as better pricing, better security measures or a better customer experience.
This has its benefits but also makes domain hijacking possible.
Domain hijacking is a risk to your business even if it’s not your domain that is hijacked. Any third-party vendor you regularly communicate with or that handles your or your customer’s data could have its domain hijacked.
Domain hijacking must be part of your vendor risk management and third-party risk management programs.
While transferring domains is a little more complicated than registering a new domain, in practice it is a very simple process.
Generally domain hijacking occurs from unauthorized access to, or exploitation of a vulnerability in a domain name registrar, through social engineering, or by gaining access to the domain name owner’s email address and then resetting the password to their domain name registrar.
Another common tactic is to gather personal information about the actual domain name owner to impersonate them and persuade the domain registrar to modify registration information or transfer the domain to another registrar they control.
Other methods include email vulnerability, vulnerability at the domain-registration level, keyloggers to steal login credentials and phishing attacks.
During a DNS poisoning attack, a hacker substitutes the address for a valid website for an imposter. Once completed, that hacker can steal valuable information, like passwords and account numbers. Or the hacker can simply refuse to load the spoofed site.
Someone browsing the web may never know that DNS spoofing is happening. The person may visit a site that looks perfectly normal, and even functions somewhat normally, so everything seems safe.
Or that person may find that a beloved site just won’t load. That person may try again for a time or two, but anger could be directed at the company for hosting a site that doesn’t work.
Preventing DNS poisoning starts by blocking DNS spoofing. We’ll tell you all about how to do just that.
Web developers are encouraged to use short, user-friendly web addresses as they develop their sites. Doing so could help them perform better in search queries, and their addresses help consumers know what pages contain before they click on them. But other computers don’t understand the addresses humans use. A DNS helps.
Every time you type an address into your browser:
This work happens in seconds, and you may not notice the delay. But behind your screen, your computer is reaching out to others to understand where you should go next and what should happen.
The DNS system was developed in 1983, when the internet contained far fewer websites and servers. The developers never dreamed that anyone would want to play with the system or defraud users, so no security measures were built in.
What Does DNS Cache Poisoning Look Like?
You ask to visit a site, and your server picks up a hacker’s response. That falsified data is stored, and DNS cache poisoning is complete.
A hacker could do this by:
DNS poising attacks occur because the system is insecure. Your computer holds conversations with servers via the user datagram protocol (UDP). This allows for quick, efficient communication. But no security measures are built in. Your computer doesn’t verify the identity of the server it talks to, and it doesn’t validate the data that comes back.
Forgery in this environment is relatively easy. If you’re not required to prove your identity, and the server you talk to could be owned by anyone at all, you could get falsified information and never know it.
Sources: Networkworld , Ns1, Okta
Are you getting ready to take your A+ exam? Did our tips help? Be sure to comment in on ways we can improve our guide process as well as share your own success stories! We are grateful to help you succeed with the A+ and hope to see you as a certified A+ member soon! Learn more