[BreachExchange] Most Threatening DNS Security Risks And How To Avoid Them

Audrey McNeil audrey at riskbasedsecurity.com
Wed Jan 31 20:41:50 EST 2018


The DNS or Domain Name System is one of the most necessary components for
the internet functionality. Most often, the internet businesses are
negligent to the security of their digital identity that is the DNS. This
poor security of DNS makes it vulnerable to many cyber attacks which are
beneficial for the attackers.

Fortunately, an individual or regular internet user could prevent DNS leaks
or such related vulnerabilities through DNS leak test and by changing their
device’s setting to another DNS server.

Threats That Are Alarming For DNS Security

Here are 4 threats to your DNS security:

DDoS Attacks

The Distributed Denial of Services (DDoS) attacks are executed through
accessing DNS server of an internet user or provider, where they pitch a
bunch of malicious traffic and hinder the legitimate requests. Yet, this
attacking technique is not particularized to DNS and its security, but the
DNS server could have serious through it.

It doesn’t matter whether the website is prominent or not, if the DNS
infrastructure is not working means it cannot monitor the number of
incoming requests, then the site may face disruption.

To prevent a DDoS attack on DNS server, you may use an effective DNS
provider which embody a wide coverage of Anycast servers so that there is
the appropriate handling of traffic. Yet, the reason to use Anycast servers
is enhanced performance and efficient load distribution while DDoS attack.
Also, if you are constructing your own managed DNS servers then better
leverage the power of Anycast.


The technique to trick web traffic through constructing a fake domain name
almost same as the real target domain is known as Typosquatting. Through
this method, a hacker could set up a variety of phishing attacks. However,
it could also be used for stealing information.

To evade such threats from your domain, it’s necessary to monitor the new
domain entries which are similar to your business names. Yet, an easier way
to demolish this threat is to hire firms that provide digital brand
management and safety services for you.

Registrar Hijacking

Unlike Typosquatting, you don’t fake it instead you break it. Most often
the domain names are registered through a registrar company which makes
them exposed to potential threats. An attacker could access your account
that is managed by your registrar and could take control of the domain.
Therefore, they can migrate the domain to the servers of their choice and
worse than this, they could switch the ownership too. They are successful
in such execution through breaking the account passwords of registrar’s
support personnel.

To avoid such condition, the best practice is to account password
management and setting up the strong passwords. Also, you must select a
registrar that has better account security offers such as two-factor
authentication or dedicated account managers. Such service may cost you
money but it’s worth the security you would have.

Cache Poisoning

The DNS information or data is used to send emails and to locate the
websites that are present on the internet. This data is cached on servers
to decrease the load on them and to enhance their performance. On the other
hand, poisoning attacks could target the DNS cached data on these servers.
This technique also routes the user to a fake website that is under the
monitoring of a hacker.

To execute such actions, a hacker tricks the DNS server by accessing its
weak configuration and entering fake address information. Unfortunately,
this change is undetectable by your browser too.

To end the cache poisoning data, a highly preferable and working solution
is to add a DNSSEC protocol to your domain name. This addition will make
the browsers and ISP servers to authenticate the DNS data it receives thus
removing the risk of cache poisoning. Therefore, you must ask for DNSSEC
from your ISP.

General Recommendations For DNS Protection

There is a serious need for full risk assessment of infrastructure by every
organization and it’s necessary to evade possible risks.

For DNS protection, there are some general recommendations so that there is
an adequate security.

- To minimize risk possibility and vulnerability invasion, you must patch
DNS servers regularly.
- To determine the DNS tunneling and data extortion there is a UDP port 53
which will analyze your traffic.
- Make sure that your DNS servers have restricted access only for the
individuals who require it. This would decrease the chances of accidental
vulnerabilities and intended malicious misconfiguration.
- Keep distinct DNS servers for internal and internet resolution with the
internal server with the internal server placed behind network defenses so
that the access to external attackers is restricted.

Also, the individual internet users could use some techniques to evade DNS
associated risks. Either they could use the tool such as VPN for mitigating
risks such as DNS leaks or they can change the DNS settings on their
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180131/395fe9d2/attachment.html>

More information about the BreachExchange mailing list