DNS hacking: what you need to know

The word “diversion” arouses a host of emotions, few of which are favorable. When associated with airlines, in particular, the word can elicit feelings ranging from worry to outright terror. For infosec professionals, this same spectrum of reactions can come into play when a hack is detected on your domain name system (DNS).

By the time it is learned that a DNS hijack has occurred, security has already been breached and the damage is mounting. For organizations that have been victimized, such attacks can have monumental impacts. To avoid this particular pitfall, the best thing to do is to know the dangers and deploy the right security mechanisms in advance to prevent hijackers from having a chance to strike.

Preparing the ground for DNS hijacking

With DNS, the name of an organization’s website–generally an easy-to-remember and easy-to-type URL for customers–is translated to an Internet Protocol (IP) address. This IP address corresponds to where the site is hosted on the Internet. Two parts are essential to the allocation of domain names: registers and registrars.

Registries essentially serve as a domain name wholesaler for specific Top Level Domains (TLDs) like .com, .org, .uk, and .edu, to name a few. Registries sell extensions of these TLDs, called second-level domains (SLDs), to registrars (for example, example.com). Registrars sell these SLDs to the public. Some of the more well-known registrars are GoDaddy, Squarespace, and Bluehost.

In order for registrars to purchase a name, they must have an account with a registry, which involves establishing login credentials. Likewise, in order for the public to buy a domain name, they must also create an account with login credentials with a registrar.

If a company wants to make a change to the DNS of their SLD, they do so by first logging into their account with their registrar. For example, if a business decides to change their website host, they should point their familiar URL to the IP address of the new host. For the change of company to take effect, the registrar may also need to log into its own account with the registry and communicate updates; the registry then publishes the new information for all name servers so that all visitors to the company’s website are seamlessly directed to its new IP address.

When login information is compromised at any point in the business-registrar-registry communication chain–whether it’s through the use of weak passwords, the wide sharing of login credentials, falling prey to social engineering schemes or forgetting another security breach–crooks have a hijacking opportunity.

Maneuver for malicious gain

Attackers who gain access to any account in the enterprise-registrar-registry communication chain can cause serious damage. With the ability to change a company’s website location, attackers can intercept and direct traffic to bogus servers. They may be able to trick customers into unintentionally disclosing their login credentials and personal information, and they may be able to do the same for employees, gaining deeper access to the network. They can also infect victims with malware to further compromise configurations for the benefit of hijackers.

DNS hijackers also have the ability to take a business completely offline, which ends business activity. Such tactics offer a clear and sudden indicator that a company’s security has been compromised and often result in frantic remedies to harden systems.

Some hijackers may take a more subtle approach and try to go undetected for as long as possible, especially if they are looking to glean as much information as possible about customers or employees. They can move traffic between fake servers and the legitimate site for brief intervals, timing activities to take advantage of monitoring gaps to avoid discovery.

Disastrous consequences for the victims

DNS hijacking can have dire consequences for businesses and their customers. In most cases, security teams may not realize that a site has been hacked until it is too late. In the time it takes for teams to check systems and isolate the problem, hijackers have more than likely already recovered sensitive customer and employee data. Businesses then not only have to repair and reinforce the damage done to the infrastructure, but they also have the unpleasant task of communicating the breach to their customers and embarking on a long process to restore trust in their brand and services. Overall, the costs are high, but they can be avoidable.

Potential foreclosure threats

Following best security practices is the first step in thwarting hacking attempts. Such practices involve tracking and protecting account credentials and recovery methods, ensuring that only people in positions that need to be notified have access to them. Critical security layers should be in place, such as requiring multi-factor authentication (MFA) for all users and enabling notifications for recent or pending actions (such as expiration dates or issuing new SSL certificates). Additionally, security teams should regularly monitor existing critical accounts to detect and resolve any anomalies.

Beyond best practices, registrar and registry locks can provide additional peace of mind. A registrar lock means that any changes to a company’s domain can only be made after the ability to do so has been unlocked by the company. In most cases, a business security specialist will need to perform two-factor authentication or provide a passphrase to provide the registrar with assurance that a request is legitimate.

With a registry lock, a company’s domain cannot be changed or moved without a rigorous validation process between the registrar and the registry. Such a lock usually requires more effort to bypass, as manual entries and even offline settings need to be filled. The use of registry locks in combination with registrar locks fully secures the business-registrar-registry communication chain.

While registrar and registry locks can take extra time and effort for businesses to change their DNS, they are invaluable when it comes to outsmarting hijackers and maintaining security. integrity of sensitive data.

For businesses looking to keep customer and owner data secure, understanding external threats is half the battle. By implementing robust security systems and tools, an organization can once again focus on growing its business.