01/18/2021 | News release | Archived content
By Vishnu Borra , Travis Haglund- January 18, 2021
Whether they realize it or not, every organization relies on the domain name system (DNS). DNS is what allows people to find your website, shop on your ecommerce app and send you email. It's a critical service for not only your business, but the internet as a whole.
As such, it makes sense that DNS servers have become a common target for cyber criminals:
If your business relies on blacklisting Fully Qualified Domain Names (FQDNs) alone to combat DNS-based attacks, read on. Malicious actors and attack vectors are becoming more sophisticated - so your security should, as well.
Your DNS servers, themselves, are not always the target of DNS-based attacks. Instead, the functionality of the DNS protocol is commonly exploited, in order to allow an attacker to exfiltrate sensitive data from your environment.
Often, when a user within your network unintentionally visits a malicious site, a piece of malware is installed on the connecting machine. Once the machine is infected, it will leverage DNS to connect to the C2 server in order to receive instructions and act on them. Once an attacker has a foothold in your environment, the potential of malware spreading is greatly increased.
Other leading DNS attack methods include:
A recent DNS breach reported by SecureList illustrates the scope of the challenge:
'In mid-May , Israeli researchers reported a new DNS server vulnerability that lurks in the DNS delegation process. The vulnerability exploitation scheme was dubbed 'NXNSAttack.' The hacker sends to a legitimate recursive DNS server a request to several subdomains within the authoritative zone of its own malicious DNS server. In response, the malicious server delegates the request to a large number of fake NS servers within the target domain without specifying their IP addresses. As a result, the legitimate DNS server queries all of the suggested subdomains, which leads to traffic growing 1620 times.'
The essential nature of DNS functionality within organizations presents many risks for gaps in security:
To address this growing threat, Palo Alto Networks launched a new feature called DNS Security, which is used in combination with the anti-spyware functionality provided through the Threat Prevention license. This feature uses a cloud service that is updated in real-time from various feeds in order to detect traffic to known-malicious domains, as well as domains which were created from a Domain Generation Algorithm (DGA).
The DNS Security feature takes valuable information about known-malicious domains from multiple trusted threat-intelligence feeds and combines it with machine learning and predictive analysis in order to dynamically identify and block access to domains created by DGAs.
When a client sends a request to a malicious domain, the Palo Alto Next-Generation Firewall (with DNS Security configured) intercepts the traffic and compares the DNS request with information within the cloud database. If the request shows up in the cloud database as malicious, or if DNS tunneling is suspected, the DNS request can be automatically dropped. This not only allows the connection to be stopped, but also lets an analyst know that there is a device on the network that may require further investigation.
We can help you take control of your DNS, through our free DNS management service - included with every cloud account. Learn more about DNS services at Rackspace Technology and our complete range of security solutions.