Traditional DNS security procedures are easily bypassed by determined attackers.
On April 17, Cisco Talos reported a DNS hijack targeting government and enterprise domains in certain TLDs. It was a sophisticated and effective attack highlighting the damage bad actors can do using external DNS compromises to harvest data and customer information. In this case, credentials were obtained to gain access to enterprise VPNs. The attack method is repeatable, especially against enterprises that fail to address exposures with a prevention mindset. Enterprises must update policies and enforce them with domain and external DNS security control systems designed to address modern security threats.
What Happened? In a nut shell…
- The bad guys accessed Registry/Registrar systems and hijacked domain DNS settings
- They directed traffic through their servers intercepting and harvesting ALL data in transit
- They forwarded legitimate requests to the intended servers to avoid detection – and it worked
- Nobody Noticed
- Compromised data and credentials were likely sold and used to perpetrate other breaches including compromising VPNs.
An article in Wired on the same compromise, advises that enterprises purchase “Registry Lock” on their domains in order to prevent this type of attack. By itself, registry lock is a good action, but it is wholly inadequate as an effective network defence measure, akin to locking the car door while leaving the back window open. In order to defeat this single protection measure, the attacker merely needs to add or edit an A Record vs. edit a Name Server. Result: Registry Lock Security Action DEFEATED.
Bad actors know that enterprises are slow to adapt, constrained by budgets, limited by internal expertise focus, and inclined to maintain status quo, particularly in terms of external DNS. Attackers have big monetary incentives, don’t follow rules, are creative and nimble, and act without constraint. This gives them a considerable advantage in what is becoming an arms race in IT security.
The consensus view in research is that enterprise exposures generally exist due to the actions and inactions of internal human resources. Executive leadership fails to prioritize action to equip their IT teams and overseers with modern systems to keep companies and customers safe on the external DNS. Consider also that best practice guidance from experts fail in the real world because it typically reinforces traditional, manual security processes that are themselves weak. Ten such ineffective measures are detailed in this paper: Domain and DNS Security Measures Don’t Work
Applying a comprehensive preventative strategy to domain and external DNS security is more important than ever. The pace of change, resources and skills of bad actors continues to advance while enterprises are slow to adapt with a status quo mindset. We see this all the time, evidenced by persistent and endemic failure of enterprises to adopt DNS security policies such as DNSSEC, SPF and DMARC as well as disconnected silo systems and operations, lack of clear asset ownership and use of multiple legacy external Domain and DNS services. These conditions make external DNS almost impossible to control.
Enterprises must urgently recognize the exposures and prioritize project activity to modernize their control systems for external DNS. If your enterprise security approach is limited to an internal network focused “Castle and Moat” and ignores external DNS, you are managing external DNS cyber risk with the same approach conceived in the 1990’s that cannot address modern threat vectors.
“And I think a lot of the groups that pick it up are finding that it’s not hardened on enterprise networks, because it’s not part of the network. No one really thinks about who their [domain] registrar is.”
Security Layers Enforced with Easy to Use Systems that Empower Teams
Enterprises need to apply security layers to domains and external DNS by empowering teams with modern tools that specifically address all known DNS administrative security weaknesses. Moreover, merely listing the weaknesses and establishing a policy is impractical without assurance that measures are easily manageable and scalable. Security layers need to be easy to set up, efficiently enforced with change management and monitoring systems vs. being reliant on people to do the right thing, without fail or error. The following chart details preventative security practices to address modern threats.
| Security Action | Description |
| Define and Enforce Security Policies | Set the rules and use control systems to bring visibility and enforcement into place to manage enterprise policies |
| Access Controls | Permissioned team members, ideally with SSO integration |
| 2 Factor Authentication | Protect against stolen credentials & unauthorized access |
| Role-based Permissions | Limit and grant permissions based on functional need |
| Change Workflow | Enforce and log internal change approvals for compliance |
| Change Notifications | Alert IT of any domain and DNS edit or addition |
| Change Digest Log | Audit proof and asset lifecycle record |
| Registry Lock | Ensure Name Servers are not changed without approval |
| Registrar Lock | Ensure domains are not transferred without approval |
| DNSSEC | Thwart DNS cache poisoning and Man-In-The-Middle |
| SPF and DMARC | Ensure domains owned are not used for phishing |
| HTTPS Everywhere | Protect against session eves dropping and don’t forget about redirects. Enable with Https or park |
| DNS Start of Authority | Ensure every domain in use or not has a SOA record to mitigate DNS hijack risk |
| Zone File Hygiene | 1. Clean up legacy DNS settings, and 2. Establish systems to maintain good hygiene |
| Consolidation of DNS and Registrar Services | Limit-providers where access, security, change management controls are unified and consistent |
Every domain owned must be managed for security and regulatory compliance reasons. It doesn’t matter if it is a core domain used for flagship products and services or a lowly brand protection look-a-like domain. If you own it, you must manage it, or malicious parties can use it against you.
Summary
Threats and compromises on domains and external DNS are growing because they are open and can be used to harvest credentials to execute deeper network exploits. This compromise raises the game and points to the entire DNS “Chain of Trust” that underpins the Internet, including the Top-level Domains, DNS and TLS certificates. Attackers are more agile and better equipped than many enterprise domain and IT security teams. Comprehensive domain and DNS hygiene with control systems to enforce policies is the only way to proactively protect your enterprise and its customers.
It is not rocket science or expensive − in fact it will reduce Total Cost of Ownership. Prioritizing modernization for as little as a single business quarter can equip your teams with must-have change management tools. And you are done!
Post Script
Brand Top-Level Domains
If you really want to get serious about staying ahead and improving your security, compliance and trust posture, you need to own your own Brand Top Level Domain. As the anchor of trust, it offers control of the entire external DNS environment from the root of the Internet up to the DNS security setting defaults, zone files and TLS certificates. Brand Top-Level Domains are the end game for all major and aspiring brands.