Strict DNS security measures protect against malware attacks
When we reference a website or a network server, we use (mostly) readable names, not the destination Internet Protocol (IP) address. Names are easier to remember and share. Imagine if we didn’t use domain names. “Check out today’s graphic on 22.214.171.124!”
All network-connected devices (i.e., computers, smartphones, tablets, etc.) have a unique IP address. It is the IP address that allows devices to communicate with each other. When you enter google.com into your web browser’s URL field, it is mapped to the correct IP address before a connection to the Google website is made.
A Domain Name System (DNS) helps point web traffic to the right destination by converting human-readable domain names (www.google.com) into IP addresses (126.96.36.199). DNS is used by everyone, everywhere. It was created in the early years of the Internet when security was not widely implemented. There used to be time, not long ago, when people would leave their front doors unlocked. A similar “no one will invade our privacy” attitude existed when the Internet was being architected and developed.
Since DNS pre-dates most security best practices, it is wide open for attackers. DNS operates without authentication or encryption, blindly resolving queries for any client that asks. As a result, a large portion of malware uses DNS to initiate command-and-control.
Times have changed. DNS security is a requirement, and everyone should lock their doors.
DNS is heavily used in everything we do on the Internet and within corporate and personal networks. We access the Internet so frequently it has become an integral part of our everyday lives and behaviors. We take for granted all that is done to protect us from ourselves.
An effective DNS security solution will:
- Block sites with malicious or dangerous content, such as viruses and scams.
- Screen advertisements with malicious intent to collect information from us.
- Filter content from adult sites or other unwanted sources.
- Correct typos like “gogle.com” to “google.com.” Cyber attackers often purchase these “typo” domains to prey on unintentional human error.
The above are just a few of the security measures taking place “behind the curtain.” We don’t need to know how each DNS security component works, but we do need to know the protections are there. In addition to the more simple and obvious threats, DNS security measures address more complex practices used by malware and cyberattacks.
The following are three malware practices the best DNS security solutions address:
- DNS Query Intercepts
- DNS Tunneling
- Domain Generating Algorithms (DGA)
DNS Query Intercepts
An attacker can intercept your DNS queries and provide false information that would cause your browser to connect to a fake website. Usually to a fake website attempting to collect your personal information without you knowing it is happening. Think of the information you might willingly provide after being connected to a fake site when you think you have accessed your bank’s website.
DNS Security Extensions (DNSSEC) provides an additional security level where the web browser can check to ensure the DNS information is correct and not modified. DNSSEC is not only for the Internet. DNSSEC is being used with email (SMTP), instant messaging (IM), and voice-over-IP (VOIP).
DNSSEC uses a name server to determine that the address record was sent by the authoritative name server and was not altered in transit. If the address record has been modified or is not from the stated source, the name server does not allow the user to reach the fraudulent address. DNSSEC can also determine if a domain name does not exist. With this, DNS queries and responses are protected from man-in-the-middle (MITM) attacks, redirecting Internet users to phishing and pharming sites.
DNS tunneling encodes and embeds data and protocols like TCP or SSH in DNS traffic to gain command and control inside a protected network. DNS tunneling is used to deliver and distribute malicious payloads, such as remote access trojans and ransomware.
DNS queries are usually quite simple, consisting primarily of a domain and subdomain. On the other hand, tunneling attempts to put as much data into the communication channel as possible.
DNS tunneling attacks are identified with queries for unusual text records not commonly used by a typical client. Also, records with long strings of unique characters, extended labels, and long hostnames are almost always DNS tunneling. DNS tunneling employs methods that send a series of queries, each one different from the next. Sending more queries increases the chances of gaining access.
Domain Generating Algorithms (DGA)
A Domain Generating Algorithm (DGA) is a program that provides malware with new domains on-demand. Attackers use DGA to quickly switch the domains that they’re using for malware attacks. Attackers do this because security software and vendors act quickly to block and take down malicious domains used by malware. DGA is used because malware that depends on a fixed domain or IP address is quickly blocked. Rather than continually updated and re-deploying their malware, attackers switch to a new domain at regular intervals.
An example of DGA in practice is command and control servers for botnets and ransomware. Newer DNS security solutions are designed to identify malware using DGA, severing the link between the victims and their attackers. Systems infected with ransomware would be unable to request encryption keys and send user data.
DNS Security Solutions
Network security services must adjust quickly to remain a step ahead of malware and cyberattacks on DNS servers. Since DNS does not provide any security on its own, we rely on network security providers to protect our servers and data from malicious actors.
As an example, Exium routes all DNS queries securely inside Layered Trust Paths to DNS resolvers running in Intelligent Cybersecurity Mesh™ nodes. Exium uses advanced algorithms based on everything from lexical to behavioral analysis to processing the DNS traffic by AI-powered DNS resolvers to stop DGA attacks. The Exium Security Analytics (xScale) platform disrupts attacks that use DNS for command-and-control or data theft by rapidly identifying threats using AI and machine learning.
Each network security services provider uses different tools and methodologies to provide critical DNS security solutions. Today’s Internet is far more advanced and widely used than its early versions. DNS existed then and continues its role today. Originally designed with little or no attention to security, DNS will continue to be targeted by malware.
DNS security advances help to safely direct traffic and block attacks. The more we learn about them, the more secure we will feel. We should know what safeguards are being applied and ensure they use the latest and best technologies. Our data is too valuable to leave behind unlocked doors.