DNS: Do (you) Not Secure?

The foundation upon which the internet was built on was created at a time where no one could imagine the scale at which it would grow. It is this inherent trust of an outdated process where we see attackers exploiting DNS which is the beginning of every connection made on the internet. The 2022 Global DNS (Domain Name System) Threat report, compiled interviews from over 1000 global organisations who have more than 500 employees, suggests that 88% of interviewed organisations suffered DNS-related attacks over the past year. At a staggering average of seven DNS-related attack per year per organisation, there is an industry wide desire to understand how to effectively secure DNS.

This need has only grown in importance as post-pandemic organisations look to make identity the new perimeter of networks and reduce lateral movement by creating earlier security barriers. Which is only compounded by the increased percentage of encrypted DNS traffic. We thought it would be beneficial to breakdown what exactly DNS is, why it is important to secure and how organisations can protect themselves against DNS related attacks.

DNS is what converts human-readable domains (such as www.ANSecurity.co.uk) into an IP address. This makes it possible for people to use memorable domain names rather than series of numbers. Therefore, DNS acts as the internet's phonebook by providing an intermediary layer between people and the wider internet. But like most technology that has the best intention, it can be exploited. With hybrid working & cloud migration journeys currently being undertaken because of the pandemic, there has been a surge in DNS-related attacks. Major consequences of these attacks can be application downtime and data theft.

We think that too often the DNS layer is overlooked by IT teams due to the fundamental reason that firewalls are set to ‘allow’ list traffic. However, it is this commonality in modern IT environments and in-secure designs which make it such a common attack vector. According to the NCSC, almost all attacks utilise DNS at some point in their lifecycle; whether it is a phishing link or compromised website, or attacks establishing Command and Control system for their malware. The associated risks have only worsened over the pandemic. In fact, hybrid work models have also created new challenges for IT teams. As the perimeter has disappeared, both the attack surface and cloud usage has increased considerably. Another finding from the report highlighted 70% of respondents suffered app downtime because of DNS attacks, related to both in-house and cloud-based applications and just under a quarter of respondents had customer data or sensitive IP stolen. Therefore, it is becoming more of a necessity to actively monitor DNS traffic.

There are several ways to secure DNS and prevent exploitation. As all internet activity is enabled by DNS and unsurprisingly all cyberattacks will have to utilise DNS during an attack, then by simply monitoring DNS request and subsequent IP connections, can go a long way when it comes to securing networks. Then by ensuring the correct policies and protocols are in place to identify anomalous DNS activity, will enable better accuracy and detection of malicious activity at earlier stages of attack and therefore improve visibility and enhance network protection.

DNS is evidently an important part of the internet as it is the first step in making a connection to the internet. If a dangerous connection is blocked at DNS layer, the attack is prevented at the earliest point in the attack lifecycle before any disruption, damage and data theft can take place.