Authoritative DNS Hijack Attacks
As the leading enterprise DNS vendor in the world, we get asked about DNS security often. If you have read some of our articles, you know we love a good technical solution to a problem, digging into protocol anomalies, reverse-engineering malware attack patterns, and the like. In this case, we were left with a bit of a head-scratching question… How do we teach people to protect against a DNS attack that has no technical solution?
What we found after contacting various customers, government agencies, and friends in the cybersecurity community:
- This is more widespread than most realize, and it's surprisingly easy to do
- Some well-known bad people are actively using this attack
- HTTPS and DNSSEC are not going to save you if your DNS records are hijacked
There are now quite a few excellent articles about this attack and our thanks to the folks at FireEye who published one of the first public write-ups available HERE. Additionally, on January 22, the DHS issued Emergency Directive 19-01, “Mitigate DNS Infrastructure Tampering,” in response to FireEye’s report.
So, let’s get straight to the “how do I make sure my network is safe” part of this blog.
Organizations should immediately:
Look at your public DNS records. For most organizations this is simple, Because you probably expose fewer than 20 public records (websites, email server, VPN) and verifying that they point at the right hosts should only take a few minutes.
Using NSLOOKUP (most OSes):
C:\>nslookup -type=any yourdomainname.com
infoblox.com internet address = 220.127.116.11
infoblox.com nameserver = ns1.infoblox.com
infoblox.com nameserver = ns2.infoblox.com
infoblox.com MX preference = 10, mail exchanger = mxb-00333e01.gslb.pphosted.com
infoblox.com MX preference = 10, mail exchanger = mxa-00333e01.gslb.pphosted.com
You may see more data than this but pay special attention to your MX records as these are your external mail servers, your nameserver records (DNS servers), and your internet address record (typically your web server). These should all be addresses you recognize.
Note: If you try this from your internal network, you typically will not see these records as they are not used internally, so it’s best to try from an external network or do the query directly on your external DNS server.
If you are running an Infoblox appliance, . Set up DNS Integrity Check as a way to run automated consistency checks. While you are there ensure your automatic alerting is set up.
Protecting yourself going forward:
If you are using a public DNS service (many run their websites and public DNS records this way), spend the time to verify the authentication methods used by your domain registrars. As it turns out many of these companies have only basic security in place. Your managed DNS provider MUST provide additional layers of authentication before allowing changes (bad security is how we got into this mess). You should treat this access as sensitively as any banking or financial data because the results of a breach would be just as disastrous. Two factor authentication if available, is a good start.
If you run a different DNS server, you probably have a SIEM or compliance tool that monitors when sensitive files change somewhere in your organization. Make sure to start watching the files on your DNS server that contain this information. The files are called “Zone Files” and each public zone will have a file with the public records you checked. They are found in a directory specified within the /etc/named.conf file on the DNS server (e.g.: directory “/etc/bind/zones”; ). These files are often named based on your domain and are easy to identify. You won’t want to monitor all your DNS records as they change all the time, but for the public DNS records setting up an alert when changes are made will help when your boss asks: “Could this happen to us?”.
That’s is for the public Freak-out part of this article.
If all is good pat yourself on the back, have that second cup of coffee and why not go ahead and snag the last donut in the break room. But be aware even though you are good now, there are websites and mail servers being actively redirected at many other companies.