DNS servers work by translating IP addresses into domain names. This is why you can enter CIO.com into the browser to visit our sister site, instead of trying to remember 184.108.40.206.
When DNS is compromised, several things can happen. However, compromised DNS servers are often used by attackers one of two ways. The first thing an attacker can do is redirect all incoming traffic to a server of their choosing. This enables them to launch additional attacks, or collect traffic logs that contain sensitive information.
The second thing an attacker can do is capture all in-bound email. More importantly, this second option also allows the attacker to send email on their behalf, using the victim organization's domain and cashing-in on their positive reputation. Making things worse, attackers could also opt for a third option, which is doing both of those things.
"In the first scenario this can be used to attack visitors and capture login credentials and account information. The common solution of mandating SSL works until the attacker takes advantage of [the second option] to register a new certificate in your name. Once they have a valid SSL cert and control of your DNS (one and the same, basically) - they have effectively become you without needing access to any of your servers," Rapid7's Chief Research Officer, HD Moore, told CSO in an email.
In a blog post, Cory von Wallenstein, the CTO of Dyn Inc., a firm that specializes in traffic management and DNS, explained the three common types of DNS attacks and how to address them.
The first type of DNS attack is called a cache poisoning attack. This can happen after an attacker is successful in injecting malicious DNS data into the recursive DNS servers that are operated by many ISPs. These types of DNS servers are the closest to users from a network topology perspective, von Wallenstein wrote, so the damage is localized to specific users connecting to those servers.
"There are effective workarounds to make this impractical in the wild, and good standards like DNSSEC that provide additional protection from this type of attack," he added.
If DNSSEC is impractical or impossible, another workaround is to restrict recursion on the name servers that need to be protected. Recursion identifies whether a server will only hand out information it has stored in cache, or if it is willing to go out on the Internet and talk to other servers to find the best answer.
"Many cache poisoning attacks leverage the recursive feature in order to poison the system. So by limiting recursion to only your internal systems, you limit your exposure. While this setting will not resolve all possible cache poisoning attack vectors, it will help you mitigate a good portion of them," Chris Brenton, Dyn Inc.'s Director of Security, told CSO in an email.
Sign up for Computerworld eNewsletters.