DNS: what it is and why you need to protect it

7th May 2019

Stuart Reed

Stuart Reed
VP, Products

What is your top cyber security priority? The answer to this question will vary industry to industry, sector to sector and business to business. However, one thing all companies have in common is that their strategic decisions can be overturned in an instant: the moment a cyber criminal exploits a weakness they had not considered. And that weakness could well be the Domain Name System (DNS): overlooked, unloved, deprioritised and an easy-picking attack vector.

DNS-based cyber attacks are among the most common: it’s been estimated that in 2017, 76% of organisations around the world suffered DNS-based attacks, costing some businesses more than $5 million in damages. Despite this, DNS gateways are often left unprotected by security teams at enterprises, the data flowing through them white-flagged. Why is this, and what can businesses do to strengthen this weak link in their defences?

An introduction to DNS

To answer this question, we need to understand what DNS is, how it works, and why it’s a security threat.

Put simply: DNS is the phonebook of the internet. It comprises a group of servers that turn humanly understandable domain names, such as www.example.com, into the internet protocol (IP) addresses that can be understood by machines.

This process occurs in a series of three, iterative steps. When a person requests to go to a website, a DNS query is issued to the local recursive server, which acts as the hub of the process. The recursive server will begin by contacting the root server, which returns the address of the name server responsible, in this case for the .com zone. A query is then made to the .com top-level domain (TLD) server, which will respond with the location of the authoritative name server responsible, here: example.com. Finally, the authoritative name server will be contacted, and will return the IP address for the domain requested. This whole process takes just milliseconds.

A tempting target

The reason that the DNS layer of a network represents such a tempting target for hackers is that it’s ubiquitous, always on, and works behind the scenes (and is therefore very easy to be overlooked). What’s more, to make the DNS process as seamless and smooth as possible, many security administrators white-flag DNS traffic. This leaves the door open for malicious actors.

DNS vulnerabilities are behind some of the damaging cyber attacks. Simply by changing the answers to some of the queries hosted in your DNS server, cyber criminals can redirect users to a malicious website where they can pass on malware, insert data exfiltration trojans or expose people to phishing tactics. The latter occurred at a Brazilian bank last year, when online customers were diverted to fake websites and stripped of their most sensitive financial data. Cyber criminals can also extract data through DNS tunnelling, where DNS traffic is used to bypass firewalls.

Plugging the DNS hole

Fortunately, not only is DNS traffic relatively easy to secure, the right approach can turn this traffic from a vulnerability into an important threat intelligence asset. Thanks to advanced heuristics developed here at Nominet, organisations can inspect the billions of packets of DNS data flowing out of their businesses and find even the smallest trace of inproper activity. This deep packet inspection operates in real time, without introducing network latency and gives enterprises the ability to automatically shut down active threats the moment they’re detected.

By putting in place a new layer of visibility and control to DNS systems, organisations can effectively enable their DNS traffic for use in cyber defence; using the data to protect against malware, phishing, botnets, data exfiltration, cryptomining and other dangers.

Find out more

If you would like to read more about DNS and its associated security threats please download our new white paper. Here, you can also learn how Nominet can help protect your DNS layer and turn DNS traffic into a strategic threat intelligence asset.