The Domain Name System (DNS) is one of the least understood but most crucial parts of any IT environment. Although it’s operated via a global network of servers under the control of ISPs, non-profits, registries and others, attacks can strike to the heart of any organisation. DDoS, phishing, malware downloads, C&C communications and even data exfiltration can all take place via DNS channels.
Because it’s always on and running in the background, converting domain names to IP addresses so users can surf the web, it’s a great conduit for attackers. But that also makes it a useful place to gain advanced insight and control. I spoke to a range of industry experts on the key challenges and opportunities facing firms.
A new favourite
DNS attacks are becoming increasingly popular with nation state hackers. Sea Turtle and DNSpionage campaigns over the past couple of years have targeted Middle Eastern governments and military organisations. They typically compromise key DNS servers, and change the queries stored in them to enable man-in-the-middle phishing attacks designed to secretly steal important passwords. Part of the problem, according to Nominet’s head of IT security, Cath Goulding, is that the protocol is decades old.
“DNS was designed nearly 50 years ago. The people who created it could not possibly imagine the threats that we face today,” she tells me via email. “The advanced malware that we see could not be conceived 50 years ago, so DNS was not designed to defend against it. Humans simply can’t manually monitor the amount of data that passes through it, so we must rely on algorithms and machine learning to keep us safe.”
Gary Cox, technology director for Western Europe at Infoblox, adds that DNS is increasingly being targeted by hackers as other avenues are blocked.
“DNS has become more and more popular as a result of other security gaps being filled – by things like next-gen firewalls, IDS/IPS systems, highly capable endpoint protection going well beyond just basic Anti-Virus,” he explains to me. “New attack vectors are continually explored and exploited, and the latest twist from a DNS perspective is that DNS over HTTPS (DoH) is now being used to circumvent DNS security controls.”
According to DNS pioneer and Farsight Security CEO, Paul Vixie, services like DoH “are well intentioned but policy-ignorant, and many threats to the user or to the rest of the user’s network are able to bypass security controls when the user bypasses the local name service.”
Another example of a DNS bypass attack which has garnered an increasing number of headlines over the past year is DNS rebinding. In this attack, hackers first get victims to click on malicious links or online adverts, with rebinding techniques enabling them to bypass the network firewall and use the victim’s browser as a proxy to target any devices on this network. It’s predicted that this type of attack could become increasingly popular in compromising IoT endpoints.
What can we do?
So how can IT security leaders hope to mitigate the risk of a DNS-based attack? After all, with the DNS servers themselves usually out of their control, there’s a limit as to what they can do, right? Well, yes and no. Goulding argues that by using analytics services that search DNS traffic, organisations can turn the ubiquity of DNS to their advantage, using it as an early warning system to spot and block attacks before they’ve had a chance to impact the organisation.
“Utilising a DNS monitoring tool is the first step to mitigating the DNS risk,” she explains. “And while not every firm can afford high-level DNS protection, taking steps to ensure staff education is crucial, too. For many workers, they might not be clear what is and what isn’t a malicious link or malicious add. Ensuring staff have the tools they need to work out what might be malicious and what not be malicious will ensure company safety.”
ISACA board director, Asaf Weisberg, adds that DNSSEC should be rolled across the industry “to strengthen authentication in DNS, by using a DNS Zone’s private key to digitally sign the DNS data, and allowing the resolver to confirm the validity of the DNS data through a corresponding public key that is being retrieved as part of the DNS query.”
However, efforts thus far have been poor. It’s claimed that less than 20% of DNS stakeholders have adopted the specifications – a figure ICANN wants improving urgently. Without this kind of cross-industry response, DNS could remain a security blind spot for organisations for many years to come.
One of the most frustrating things about being a Hong Kong technology journalist is having people ask you what the next big tech trends are; what kind of weird and crazy gadgets you’ve managed to track down, etc etc.
The truth is, as I’ve discovered over the past 18 months, despite its famously futuristic neon-kissed city-scape Hong Kong is not where you’ll find such weird and wonderful or early adopter technologies. They don’t even really exist in Japan’s famous Akihabara “electronics town” district either – a spot now filled with maid cafes and adult video shops.
The truth is that for pimped out shanzhai goods like these, you’ll need to go to Shenzhen, just across the border from Hong Kong.
This city, and its Chinese neighbours around the Pearl River Delta, has always been the epicentre of cheap, sometimes illegal but usually grey market goods – whether they be recognisable brand name items assembled or sourced from non-official channels, or white box weirdness from tiny makers you’ll never have heard of.
It’s not as if, as I originally thought, there has been a government crackdown on these items in Hong Kong. You see, they’re not technically even illegal – it’s more market driven than that.
“In Hong Kong the government is not banning these products, it’s that the market is not that big,” Frost&Sullivan analyst Lu Shuishan told me. “Some people are willing to pay relatively low prices for shanzhai goods but the market presence of branded products is just bigger.”
People can afford better quality goods in Hong Kong without breaking the bank, unlike in China where an iPhone can cost a months’ salary and grey market versions of the big brands are sought out by virtue of being cheaper, he added.
According to Forrester’s Bryan Wang, Hong Kongers also benefit from buying more of their phones through operators than direct from retail as in China, with two year contracts boosting their affordability whilst locking punters into lengthy terms.
That’s not to say white box goods have completely disappeared from Hong Kong. On a trip to Sincere Podium – a three floor mecca for smartphone fanatics in Mong Kok – there were one or two brand names I’d never heard of, like Copicell, Daxian and Shouyue.
However, there were no unusually specc’d shanzhai products, of which Western readers are inordinately fond.
As IDC senior market analyst Dickie Chang told me, skyrocketing local rents are also focusing the minds of traders.
“Dealers need to pay more to cover rental costs, so they will need to think carefully about the products
they want to sell,” he argued.
It seems that the era of the weird and wonderful shanzhai handset, at least in Hong Kong, is well and truly over.