DNS is a foundational element of network communications. It’s also the starting point for countless cyberattacks. Threat actors abuse DNS to install malware, exfiltrate data, and perpetrate malware threats. Cyber threats that leverage DNS are widespread, sophisticated, and rapidly evolving. DNS is used by over 90 percent of malware and in an ever-growing range of pernicious attacks.
However, despite its vulnerabilities, DNS can unlock a hidden world of security capabilities that can help protect today’s highly distributed and cloud-integrated networks. The Hidden Potential of DNS in Security reveals how attackers exploit DNS and how cybersecurity professionals can proactively use DNS to turn the tables and mitigate those threats.
Knowing how to leverage the protective capabilities of DNS can give you an unprecedented head start in stopping today’s advanced cyberthreats. This book gives you that knowledge.
Written specifically for security practitioners, and including real-world case studies, this book offers a thorough yet easy-to-digest understanding of today’s most urgent and potentially damaging DNS-based cyberthreats, how to mitigate them, and how to leverage your DNS infrastructure to further your security mission. In it, you will discover:
Why DNS is inherently vulnerable and why knowledge of DNS is now crucial for security teams
How malware uses DNS to avoid detection and communicate with command-and-control (C2) infrastructure
How threat actors leverage DNS in executing a broad array of attacks involving look-alike domains, domain generation algorithms, DNS tunneling, data exfiltration, and cache poisoning
What DNSSEC is (and is not) and how it works
How recently emerging encrypted DNS standards can impact security controls, along with the security advantages they can provide
How DNS can be leveraged in Zero Trust architectures
How you can improve your security posture using the DNS infrastructure you already have.
Author(s): Joshua M. Kuo, Ross Gibson
Publisher: Infoblox
Year: 2023
Language: English
Pages: 192
Cover
Foreword
Acknowledgements
Chapter 1: Introduction
How to Read This Book
Who This Book Is For
Who This Book Is Not For
Life as a Security Professional
What Types of DNS Exploits Are Covered in This Book
How This Book Is Organized
Why DNS and Why Is It Insecure?
A Word About Case Studies in This Book
A DNS Primer for Security Professionals
DNS, DNS, DNS Everywhere!
DNS Is Complex and Ever Evolving
URL or Domain Name?
Anatomy of a Domain Name
Components of the Domain Name System
Summary: Introduction
Chapter 2: DNS and Malware
Cyber Kill Chain and DNS
How Malware Uses DNS
Case Study: WannaCry
Case Study: Black KingDom
Summary: DNS and Malware
Chapter 3: Look-Alike Domains
What Are Look-Alike Domains?
Case Study: PayPai.com.
Look-Alike Domains Today
Business Email Compromise
International Characters in DNS
Using IDN for Look-Alike Names
New Top-Level Domains
Related Techniques
Partial Matching Names
Hidden Path
URL Bar Masking
Malicious Overlays
Common Characteristics
What Can We Do?
Response Policy Zone (RPZ)
Common RPZ Policy Actions
RPZ Action: Block by Name
RPZ Action: Block Response IP Address
RPZ Action: Redirect/Rewrite
Summary: Look-Alike Domains and RPZ
Chapter 4: Domain Generation Algorithms (DGAs)
DGA Basics
Why Attackers Use DGAs
Case Study: Zloader
Blocking DGAs
Case Study: Conficker
Newly Registered/Observed Domains
New Domain Considerations
Silver Lining
Summary: Domain Generation Algorithms
Chapter 5: DNS Tunneling
DNS as a Transport Mechanism, Part I: Two-Way Communications
How Much Data Can DNS Carry?
Size Matters
Encode, Encrypt, Oh My!
How Attackers Avoid Detection
InvisiMole and DNS Forwarding-a Cautionary Tale
Case Study: InvisiMole
DNS Forwarding—A Potential Hole in Your Layered Security Architecture
Summary: DNS Tunneling
Chapter 6: Data Exfiltration
DNS as a Transport Mechanism, Part II: One-Way Communications
Data Exfiltration Over DNS
Exfiltration and Zero Day Threats
Case Study: AlinaPOS
Beyond Blocklists
Deep Query Inspection
Detection Criteria
Detecting Anomalies
DNS and SIEM
Successful Attacks Get Better, Not Worse
Case Study: SUNBURST
Summary: Data Exfiltration
Chapter 7: Cache Poisoning and DNSSEC
Insecurity in the DNS Protocol
What Is Cache Poisoning?
A Brief Overview of Recursive Resolvers and Delegation
Fooling Recursive Resolvers
The Pizza Metaphor
Lack of Entropy in DNS
The Birthday Problem
DNS Transaction ID Collision
Case Study: The Kaminsky Attack
Detecting Cache Poisoning
The Fix, Circa 2008
Case Study: SadDNS
DNSSEC, the Real Fix for Cache Poisoning
DNSSEC Features
DNSSEC High-Level Overview
DNSSEC Responses to Clients
DNSSEC Misconceptions, Clarified
State of DNSSEC Adoption
Deploying DNSSEC
Internal Zones and DNSSEC
While You Are Waiting for DNSSEC, Have Some Cookies
Summary: Cache Poisoning and DNSSEC
Chapter 8: Encrypted DNS
Before You Read This Chapter
Encrypted DNS: Protecting the Last Mile
Leading Encrypted DNS Standards
DNS Over TLS (DoT)
DNS Over HTTPS (DoH)
Greater User Control Adds to Security Complexity
Public Encrypted DNS Services and Privacy Trade-Offs
A Double-Edged Sword (Don’t Cut Yourself!)
Case Study: GodLUA
Minimizing Risks From Encrypted DNS
Blocking DoH
DNS Last-Mile Features Comparison
Encrypted DNS Considerations
Can You Trust the Resolver?
Summary: Privacy and Encrypted DNS
Chapter 9: DNS Attacks Against Clients
When Client Devices Are in the Crosshairs
Before and After DNS Resolution
Three Types of DNS-Based Client Attacks
HOSTS File
Case Study: Win32.QHOSTS
OS Cache
Case Study: Dridex
Client DNS Settings
Case Study: DNSChanger
The Evolving Client Landscape
Classic Clients
Mobile Devices
IoT Devices
Web Browsers
Options for Protecting Clients
Summary: DNS Attacks Against Clients
Chapter 10: Domain Hijacking
When the Domain Name Itself Is the Target
What Is Domain Hijacking?
What Domain Hijacking Is Not
Domain Squatting
How Domain Hijacking Attacks Unfold
Domain Name Registration Infrastructure Compromise
Domain Registration Basics
How Attackers Strike
Hosted DNS Data Compromise
Case Study: Fox-IT
Rise in Recent Years
Choosing a Secure Registrar
On-Premises DNS Infrastructure
DNS Security in the Cloud
Expired and Dormant Domains
Case Study: GoDaddy and Spammy Bear
Abandoned DNS Records
Case Study: PowerDNS
What Can We Do About Record Abandonment?
Domain Hijacking Guide
Summary: Domain Hijacking
Chapter 11: DNS and Zero Trust Architecture
Basics of Zero Trust
DDI Is the Foundation of Zero Trust
DNS Can Detect and Mitigate Data Exfiltration
DNS-Enabled Dynamic Policy, an Introduction to D-NAP
Summary: DNS and Zero Trust Architecture
Chapter 12: Conclusion
Eight Ways to Fight DNS Insecurity Today
1. Integrate DNS Into Security Operations
2. Control, Log, and Monitor
3. Use RPZ With Reputation Feeds
4. Perform Deep Query Inspection
5. Audit DNS Data
6. Deploy DNSSEC
7. Manage Encrypted DNS
8. SOAR With DNS
Closing Comments
This Book at a Glance
About the Authors