What Is DNS Spoofing?
Like many early elements of the internet, DNS was not designed with security in mind. Still, DNS security is becoming more crucial.
Most DNS attacks occur when users think they are going somewhere safe on the internet and enter their credentials. This is the vulnerability that DNS spoofing seeks to exploit.
This typically — but not always — happens on public Wi-Fi networks, Proofpoint notes. However, DNS spoofing can occur in any situation “where the attacker can poison ARP (Address Resolution Protocol) tables and force targeted user devices into using the attacker-controlled machine as the server for a specific website.”
“For example, let’s say a user wants to access a commonly used website. That person would type the website address into the browser bar,” Steve Thamasett, a senior security solutions architect at CDW•G, has written on FedTech. “A malicious actor could poison the cache of the DNS server where the user’s browser is connecting. The user’s browser bar would say the correct website, but he or she would actually be connected to a malicious site that delivers malicious content or harvests credentials.”
Such attacks can trick users into installing malware or divulging sensitive information, Proofpoint notes. “Since DNS is a critical part of Internet communication, poisoning entries give an attacker the perfect phishing scenario to collect sensitive data,” the company notes. “The threat actor can collect passwords, banking information, credit card numbers, contact information, and geographic data.”
And, importantly for federal agencies, Proofpoint notes that “with enough stolen information, an attacker could open other accounts under the targeted victim’s name or authenticate into legitimate accounts to steal more information or money.”
What Is DNS Tunneling?
Since DNS traffic is widely trusted on the internet, many organizations “allow it to pass through their firewall (both inbound and outbound) because it is necessary for their internal employees to visit external sites and for external users to find their website,” cybersecurity firm Check Point notes on its website.
First, the attacker registers a domain, or new website, and that domain’s name server points to the attacker’s server, where a tunneling malware program is installed, according to Palo Alto Networks.
From there, the attacker works to “infect a computer, which often sits behind a company’s firewall, with malware. Because DNS requests are always allowed to move in and out of the firewall, the infected computer is allowed to send a query to the DNS resolver.”
From there according to Palo Alto Networks, the DNS resolver “routes the query to the attacker’s command-and-control server, where the tunneling program is installed.”
Thus, a connection is created between the target computer and the attacker through the DNS resolver. “This tunnel can be used to exfiltrate data or for other malicious purposes,” the blog says. “Because there is no direct connection between the attacker and victim, it is more difficult to trace the attacker’s computer.”
In DNS tunneling attacks, Check Point notes, “inbound DNS traffic can carry commands to the malware, while outbound traffic can exfiltrate sensitive data or provide responses to the malware operator’s requests.”
“This works because DNS is a very flexible protocol. There are very few restrictions on the data that a DNS request contains because it is designed to look for domain names of websites,” according to Check Point. “Since almost anything can be a domain name, these fields can be used to carry sensitive information. These requests are designed to go to attacker-controlled DNS servers, ensuring that they can receive the requests and respond in the corresponding DNS replies.”
How Can DNS Spoofing and Tunneling Be Prevented?
Agencies can take a variety of approaches to defend themselves against DNS spoofing and tunneling.
DNS security tools can add a “cryptographic signature to the entries required by resolvers before they accept DNS lookups as authentic,” Proofpoint notes, regarding spoofing defenses.
Encrypting DNS, as agencies are required to do in the shift to zero trust, can also help.
“Standard DNS is not encrypted, and it’s not programmed to ensure that changes and resolved lookups are from legitimate servers and users,” Proofpoint says. DNS security “adds a signature component to the process that verifies updates and ensures that DNS spoofing is blocked.”
Agency endpoints are going to be required to support encrypted DNS in “supporting applications (for example, web browsers) and at the operating system level wherever these features are available,” according to the zero-trust guidance.
“If agencies use custom-developed software to initiate DNS requests, they must implement support for encrypted DNS,” OMB adds. “Agencies should explicitly configure endpoints to use agency-designated encrypted DNS servers, rather than relying on automatic network discovery.”
Agencies can continue to identify and log the contents of encrypted DNS requests “by accessing this information at the agency’s designated DNS resolvers.”
To guard against DNS tunneling, agencies should be on guard for several factors, including unusual domain requests, requests for an unusual domain inside an agency and high DNS traffic volume.
“Protecting against DNS tunneling requires an advanced network threat prevention system capable of detecting and blocking this attempted data exfiltration,” Check Point notes. “Such a system needs to perform inspection of network traffic and have access to robust threat intelligence to support identification of traffic directed toward malicious domains and malicious content that may be embedded within DNS traffic.”
Agencies should also leverage threat intelligence tools from vendors such as Fortinet, the company notes in a blog post. Threat intelligence can help agencies identify previously discovered DNS tunneling attacks and points of origin.
“Some solutions, such as Cisco Umbrella, have an agent that can go on users’ endpoints, pushing the security controls down to the device,” Thamasett says. “Agents can report back on traffic and behavior, so depending on the maturity of an agency’s IT security team, they can appropriately analyze such data and put together a holistic picture of their remote workforce.”