© 2019 SourceMedia. All rights reserved.

Best practices for thwarting DNS hijacking attacks

The DHS emergency order validates what we in the industry have been advising our customers and businesses in general for some time. The use of multifactor authentication and ongoing monitoring of DNS records are basic security measures all businesses should be taking to protect their sites and underlying customer data from DNS hijacking attacks.

We also strongly recommend implementing DNSSEC, which enables recursive DNS resolvers to check the authenticity of the information received from the previous authoritative DNS server in the series of lookups required to return a DNS answer to a user. This prevents a criminal from sending a user to a malicious site instead of the intended business web site.
DNS is a critical technology that connects all aspects of IT infrastructure, applications and online services – everything between the server and the user – which makes it an extremely attractive target for cybercriminals.

As organizations around the globe drive more aggressively toward connected, digitally transformed operations, this attack vector will grow in significance. Taking quick action to implement and maintain these basic preventative measures will be imperative in preventing attacks and keeping companies and customer data safe from cybercriminals.

Data cables connect to a computer server unit inside a communications room at an office in London, U.K., on Monday, May 15, 2017. Governments and companies around the world began to gain the upper hand against the first wave of an unrivaled globalcyberattack, even as the assault was poised to continue claiming victims this week.Photographer: Chris Ratcliffe/Bloomberg

Here is more on each specific step:

Monitor authoritative DNS activity logs to quickly spot issues

It might seem overwhelming to consider tracking every DNS response. But by monitoring DNS activity and IDS logs, a company can more easily observe DNS configuration changes and shifting traffic patterns, which can reveal key indicators of compromise. For instance, unexpected and unplanned changes to DNS record configurations or sudden changes in traffic volume can indicate malicious DNS activity.

Use multi-factor authentication for authoritative DNS and registrar logins

Organizations should implement strict access controls that limit access to legitimate users who are responsible for modifying DNS settings. If a company has multiple DNS administrators, it can assign different functions to different users depending on their role, as well as restrict update access to the zones and records they need to do their job.

It's important to strengthen access controls by implementing multi-factor authentication and single sign-on. If a company uses scripts or APIs to update DNS, it should use strong authentication keys and restrict key usage to valid sources using IP whitelisting to add an additional layer of access security.

Finally, organizations should use secure practices in interfacing with their domain registrar and keep the list of authorized contacts with the registrar up to date. This will allow the company to maintain control over its domain name and avoid missing an expiration notice from the registrar.

Enable DNSSEC (Domain Name Security Extensions) and zone signing

DNSSEC operates by offering a mechanism for recursive DNS resolvers to check the authenticity of the information received from the previous authoritative DNS server in the series of lookups required to return a DNS answer to a user. With many businesses handling financial, health or personal data, it’s the organization’s duty to protect customers from this form of attack. DNSSEC protects the integrity of DNS information by having each zone of the DNS digitally signed and verified by the top-level domain.

For reprint and licensing requests for this article, click here.