Thursday, October 1, 2020

The New Security Frontier

Securing Enterprise Infrastructure and Data from DNS-based Threats

DNS, or Domain Name System, is the protocol used for converting fully qualified domain names (FQDNs) like into machine-usable IP addresses that computers use to communicate with each other. Without a working DNS protocol, it would be almost impossible to have an Internet of Things that communicate with each other and organizations would not have a cyber-presence. In short, the internet as we know it would not exist without a robust DNS infrastructure.

Given that DNS servers are mission-critical infrastructure, it is crucial that they continue to respond to queries even when they are under attack. When designing a DNS infrastructure, it is important to build an environment that is not only sufficient for current needs, but also provides room for future growth. In addition, while architecting the DNS, it is also important to understand the security threats the DNS might be vulnerable to.

Securing the DNS platform against hacking

Hacking of DNS servers is becoming more prevalent every day. Conventional DNS servers have multiple attack surfaces and extraneous ports such as port 80 and port 25 that are open for attack. Hackers can use these ports to access the operating system (OS) and hack the servers. If an enterprises’ DNS servers don’t support tiered security privileges, any user could potentially gain access to OS-level account privileges and cause configuration changes that could make the servers vulnerable to hacks.

In order to protect DNS services from various hacks, DNS servers should be secured in the following ways:

  • Hardened appliance with minimal attack surface – The infrastructure should not have any extra or unused ports to access server or power external devices (e.g. Wi-Fi) and no root login access within operating system. It should have role-based access to maintain overall control
  • Secured access methods – There should be two-factor authentication for secured login access, web and API access should use encryption to secure communication and DNS TSIG keys should be used for strong authentication of DNS updates
  • High availability and disaster recovery – Simple, configurable fail-over and fail-back to ensure service availability
  • Simple, unified updates for OS and applications – Updates for both the OS and applications should be accomplished in a single process to reduce downtime and risk of incompatibility
  • Security certification by an accepted industry organization – External validation of security measures must be taken on hardware, applications/OS, and manufacturing process. The bar should be set at a minimum of Common Criteria EAL2 certification which covers verification of hardware, software and manufacturing processes
  • Simple DNSSEC implementation – DNSSEC reduces the risk of attacks like cache poisoning. It should be simple to implement and self-manage the updating of encryption keys between servers
  • Secure Forwarder Configuration – Restrict queries to DNS Forwarder servers to those sent by authorized addresses
  • Detailed audit logging – This enables compliance and control over server configurations and operations

 Defending against DNS attacks

Another consideration is the protection of the DNS infrastructure from external attacks. Authoritative DNS servers are reachable from the internet. Even though the server sits behind a firewall, most of these attacks cannot be mitigated by typical firewalls. Firewalls are ill-prepared to protect DNS against application-layer attacks. The ones that do, the so-called NextGen firewalls, tend to have very little coverage for DNS protocols. These solutions typically spread their security policies across a large number of protocols and sacrifice depth for breadth of coverage.

There are a whole spectrum of attacks that can target DNS:

  • Dos/DDoS – Send 10s or 100s of thousands of queries per second to the DNS server in order to exhause resources on the server and cause a service outage
  • DNS reflection/DrDoS – Use 3rd party DNS servers (open resolvers) to propagate DDoS attacks
  • DNS amplification – Use specially crafted queries to amplify response and congest bandwidth
  • DNS-based exploits – Attacks that exploit vulnerabilities in the DNS software
  • TCP/UDP/ICMP floods – Flood a victim’s network on Layer 3 with large amounts of traffic
  • DNS cache poisoning – Corrupt the DNS cache data with a rogue address
  • Protocol anomalies – Cause the server to crash by sending malformed packets and queries
  • Reconnaissance – Attempts by hackers to get information on the network before launching attacks
  • DNS tunnelling – Tunnelling of another protocol through DNS for data exfiltration

Protection from these attacks should be done at the DNS level. The DNS appliance should have:

  • Intelligent detection and mitigation – It should detect and drop the attack queries before they reach the core DNS server. The DNS server should not spend valuable CPU and memory resources to process these requests. This can be achieved by offloading the threat protection to built-in dedicated compute
  • Automatic threat updates – It should stay up-to-date with new and evolving threats automatically. There should be no need for writing scripts or manually applying new protection rules to the DNS server every time a new threat is detected
  • Fine-tuning of protection – DNS traffic patterns and attacks might not be the same for each organization and customization of protection is necessary to minimize false positives. It should allow for adjusting of parameters for each rule and customize them for the environment
  • Centralized visibility of attacks – Centralized reporting capability is important to provide visibility into the load on the system, diagnose problems, and identify attacks that are happening across the network
  • Secure Authoritative Name Servers – External authoritative name servers should have recursion disabled. Inbound/outbound zone transfers should be disabled or secured with TSIG to prevent resource exhaustion attacks

 Preventing Malware and APTs from Using DNS

Data breaches are growing at a staggering pace. Investing in next-generation firewalls or Intrusion Prevention Systems (IPSs) can stop some Malware from entering the network, but not all. Trends like Bring Your Own Device (BYOD) complicate the situation further and provide new avenues for Malware to enter and go undetected for longer periods of time.

Malware and APTs evade traditional defences by using DNS to find and communicate with botnets and command-and-control servers. Botnets and command-and-control servers hide behind constantly changing combinations of domains and IP addresses. Once internal machines connect to these devices, additional malicious software is downloaded or sensitive company data is infiltrated.

Sometimes Malware and APT attacks are hidden or disguised by external attacks on networks. During an external attack, IT staff are distracted in protecting the network and might miss alerts or warning logs about Malware and APT activity within the network.

In order for DNS to detect and block queries for malicious domains and networks, a Response Policy Zone (RPZ) must be configured and implemented. At a very minimum the RPZ must have the following capabilities:

  • Configurable RPZ policy – RPZ should be configured to apply either Pass-through, Block, NXDOMAIN or Substitute policies to malicious traffic
  • Up-to-date threat data – The threat data should come either from Generic malware or targeted APT (though ideally, it would come from both)
  • Timely visibility on malicious DNS queries and infected devices – data should include the number of attempts to reach malicious domains, the names of the malicious domains and the date/time.

Security built in is better than security bolted on

Many IT organizations today are using load-balancers, IPS and firewall devices, generic DDoS protection solutions and cloud-based solutions to try and counter DNS-based attacks. All of these solutions are limited in what they can and cannot protect. Most of them are external solutions that are “bolted on” rather than built from the ground up to secure enterprises’ DNS against attacks. None of them can compare to the effectiveness of a purpose-built, DNS-specific defense solution.


Launch of the “Made in Bahrain” initiative and Broadcasting Chinese Macau Orchestra Concert on the Occasion of World Tourism Day

The Bahrain Authority for Culture and Antiquities celebrated the World Tourism Day, Sunday, September 27, 2020, with launching the “Made in Bahrain” initiative, and...

stc Bahrain wins Bahrain’s “Best integrated payment solutions provider” at The Global Economic Awards 2020

stc Bahrain, the world-class digital enabler, has won the distinguished “Best integrated payment solutions provider” award at The Global Economic Awards 2020. The award...

BRAVE CF and BTEA partner for Kombat Kingdom series

BRAVE Kombat Federation, the biggest sports-brand in Bahraini history, is partnered up with the Bahrain Tourism & Exhibitions Authority to showcase to BRAVE Nation...

Gulf Air Marks Breast Cancer Awareness Month

Gulf Air, the national carrier of the Kingdom of Bahrain, started a month-long breast cancer awareness campaign to shed light on the importance of...

UoB Students Can Pay for Courses and Buy Textbooks Online Via!

A busy academic year ahead, compounded with the pressures of maintaining social distancing, may find some students feeling overwhelmed. Such challenges have been a...

Strong link between COVID-19 and cardiac injury, warns BSH Apollo Heart Center

The BSH Apollo Heart Center has recorded a strong correlation between COVID-19 infection and cardiac injury since the onset of the pandemic. Interventional Cardiologist Dr...

stc Bahrain launches new Fiber Plans with No-Contract and provides exclusive offers for JAWWY TV Home

stc Bahrain, a world-class digital enabler, is expanding its stc fiber plans, offering the all new No-Contract Fiber plans option with an attractive bouquet...

Bahraini hero Hamza Kooheji beats Aidan James and edges closer to a BRAVE CF title shot

Bahrain’s own Hamza Kooheji earned perhaps the biggest victory of his career as he walked away with a split decision win over Aidan James,...

BeAware App to offer coronavirus PCR test certificate service

The Information & eGovernment Authority (iGA) Chief Executive, Mohammed Ali Al Qaed announced that the “BeAware Bahrain” App will begin providing a Real Time...

The All New E-Class: More Intelligent and Sportier than ever before

The all-new 2021 Mercedes-Benz E-Class Sedan has now arrived in the Kingdom of Bahrain. First unveiled at The Avenues – Bahrain, the 2021 E-Class...

Health Minister hails ‘Shaikh Isa bin Ali Award for Voluntary Work’

Health Minister, Faeqa bint Said Al-Saleh, has expressed sincere thanks and gratitude to the Cabinet Affairs Ministry’s Undersecretary and Good Word Society’s Honorary President,...

Bahrain’s presence in the European Market to Achieve The Kingdom 2030 Vision

HH Shaikh Nasser bin Hamad Al Khalifa, Representative of His Majesty the King for Humanitarian Work and Youth Affairs has received, in the presence...

The 90th National Day of Saudi Arabia is Hailed!

The Kingdom of Saudi Arabia’s leadership and people celebrated, the 90th National Day of Saudi Arabia, on September 23rd, after the historical announcement of...

Four Square brings an Immersive 3D Visual Experience at the Mall of Dilmunia!

Four Square Media & Display Solutions Co brings to Bahrain an immersive experience at The Mall of Dilmunia! Four Square was founded in the year...

HH Shaikh Nasser says Hussain Al Rashid is a “True Champion” and an “Example to Follow”

HH Shaikh Nasser bin Hamad Al Khalifa, Representative of His Majesty the King for Humanitarian Work and Youth Affairs has published a video on his...