5 min

DNS security, key to Internet resilience?

Unknown to the general public and not always well protected by companies, the Domain Name System (DNS) is nevertheless a critical asset of their information system. Poorly secured, it can become a privileged vector for cyberattacks. When properly configured, it can be a formidable tool against them.

The outage of the services of Meta—the former Facebook group—on 4 October, due to an accidental update of the routing information to the servers used by the group, highlighted the importance of the Domain Name System (DNS), whose disruption led to the unavailability of Facebook, WhatsApp, and Instagram for several hours. However, the functioning and the interest of DNS remain little known to the general public.

And for good reason: the DNS is not easy to define. “In the narrow sense, the DNS is the protocol that allows, from a domain name [such as www.incyber.fr, editor’s note], to retrieve the technical information needed for a request on the Internet,” began Stéphane Bortzmeyer, R&D engineer at the Afnic (French Association for Cooperative Internet Naming), during a FIC breakfast on this topic, organised on 30 June 2021.

In the most common case, the technical information in question is the IP address, which is necessary to establish a connection between our machine and a server, which itself hosts the service we want to access. For this reason, the expert pointed out that “the overwhelming majority of activities on the Internet begin with a DNS request.

The DNS, at the heart of the Internet

In a broader sense, the DNS is a decentralised architecture made up of two types of servers: authoritative servers and DNS resolvers, also called recursive servers or cache servers. The former manage the domains, which may be top-level (.com, administered by the company Verisign; .fr, by Afnic; .uk by Nominet, etc.), second-level (.gouv.fr, .co.uk, etc.), third-level, etc. Each level is dependent on the higher level: “If .com goes down, all the sites in .com will be inaccessible,” explained Stéphane Bortzmeyer.

The DNS architecture is usually represented as a tree. At the top, the root server, then the top-level domains (TLDs), then the second, third, fourth levels… (Credit: Wikimedia)

When you go to www.incyber.fr, a request will necessarily be sent to the .fr server. But not directly, and this is where the DNS resolver comes in. For each request on the Internet, it acts as an intermediary between the user and the authoritative servers. The most common resolvers are those provided by your operator, but there are also public DNS resolvers, such as those of Google or Cloudflare. It is also possible to have your own DNS resolver.

When connecting to an online service, the Internet user sends a DNS resolver request, which itself communicates with authoritative servers. This process is now invisible to the user because it is almost instantaneous. (Credit: Stéphane Bortzmeyer)

DDoS and domain name hijacking, the two enemies of DNS

Because it is at the heart of the Internet architecture, the DNS system is critical. It is therefore subject to numerous cyberattack attempts. The most common is certainly the distributed denial of service (DDoS) attack. “It usually targets an authoritative server operator, like the attack against Dyn in 2016 or the one against top-level domain, like the Turkish domain .tr in 2015,” the engineer recalled.

“Domain name hijacking is the second most notable threat involving the DNS system,” he continued. “With the pandemic, we saw a very large number of new domain names appearing in 2020 and 2021 that included the terms “Covid,” “19”, or “corona,” so much so that it was difficult to know which ones were official—or at least offering real services related to the fight against the virus—and which ones just wanted to attract Internet users to their sites to infect their machines or extort money from them, via phishing campaigns, for example,” explained Pascal Steichen, CEO of Securitymadein.Lu, at the breakfast. A similar phenomenon is the impersonation of a well-known brand with similar domain names.

Today, Nicolas Jeanselme, solutions architect at Infoblox, also notes “a strong professionalisation of attackers,” who are sometimes able to set up mechanisms to regularly and automatically change domain names, or even use domain generation algorithms (DGA). “We have seen some malware that used several million domain names, which changed every hour,” said the specialist. “This is the case, for example, of the Fin7 cybercriminal group.

Attacks on the DNS: a risk for confidentiality, integrity, and availability

Anouar Adlani, technical director of Ebrand Services, also identified a final type of relatively common attack on the DNS: the internal threat. “It can be due to human error—for example, a misconfiguration that brings down the DNS—but also to a former employee, an intern, or a disgruntled provider, who sometimes still has access to the domain name account,” he illustrated during the breakfast.

All these potential attacks threaten both the confidentiality of a company’s assets (the the attacker can read e-mails, hijack sites, etc.) and the integrity and availability of its information system, and therefore of all the company’s activities, “linked to its public presence as well as to its internal services,” said Nicolas Jeanselme. “They can also strongly damage the brand image,” added Pascal Steichen.

Unfortunately, according to Stéphane Bortzmeyer, these threats usually go under the radar: “The security of domain names and the DNS is often underestimated. Everyone understands the importance of protecting web servers, firewalls, etc., but domain names are generally perceived as more administrative elements and their protection is often weak.

Thinking about your network architecture upstream

To protect against breakdowns and attacks, the speakers at the breakfast agreed first of all to advise against systematically using public DNS resolvers, in order “not to put all one’s eggs in the same basket,” said Anouar Adlani. He went even further, suggesting that organisations capable of doing so should host their own DNS resolver. In the future, another solution could be to use the future European public resolver DN44EU—of which we know nevertheless “little at the moment”, Stéphane Bortzmeyer qualified.

More importantly, according to Nicolas Jeanselme, to mitigate the risks associated with DNS malfunction or hijacking, organisations must think about their network architecture upstream. For example, by implementing “authentication processes integrated with internal directories” or “by establishing standards and binding rules for network operation, so that not just anyone can access the DNS protocol,” he suggested. Organisations should also ensure that the registry that issues domain names to them implements all available measures to secure domain names (registry lock, transfer lock, DNSSEC activation…).

Nicolas Jeanselme also advised companies to take a proactive stance, including blocking some domain names they no longer use and registering others that are close to those they use and that could be used for malicious purposes.

DNS, an ally of corporate security

In addition to all these recommendations, there are the standard best practices in IT security, such as securing passwords or using multi-factor authentication.

Especially since the DNS is not only a critical asset, it is also a security tool in itself. “You can also apply security measures to your services through the DNS itself,” insisted Anouar Adlani. For example, you can add layers of security to your business email by deploying DMARC, SPF, and DKIM protocols on your DNS. Such measures will allow you to reduce your attack surface.”

Send this to a friend