Recently on the blog, we’ve talked a lot about DNS encryption and how DoH impacts end users. But there is more to DNS security than just encrypting DNS requests and responses. It’s probably safe to say that as a DNS filtering company, we have a lot of thoughts about the umbrella term “DNS security.”
It’s actually pretty simple, though fairly broad. When we talk about secure DNS, we’re talking about adding security at the DNS layer to protect end users from malicious site content, malware, phishing attacks, and other DNS-level attacks. For a brief overview of DNS, you can check out our blog on DNS filtering.
The end goal of DNS security is to mitigate possible threats at the DNS level—and this includes insider threats!
It’s safe to assume that everyone at your company logs into a computer at some point in their working day. And a large majority of those people are accessing the internet. Since internet usage across all industries is so ubiquitous, protecting employees at the DNS level is imperative.
The moment an employee encounters a malicious URL without proper DNS security in place, it puts your business at tremendous risk. That employee may have highly confidential information that the hacker wants to access, or it can release malware onto that computer that could then spread to the entire network. Just navigating to the wrong website could result in all of your systems being taken offline for an unknown amount of time.
So how do these attacks even occur to begin with?
Technically, almost any online attack could be considered a DNS attack since it needs to use DNS to spread.
What follows is by no means a complete list of all DNS attacks that can occur, but these are the attacks that people fall victim to most often.
Phishing attacks are a favorite among hackers. This is because they’re relatively easy to implement compared to other attacks. These attacks can be implemented via a website or an email in an attempt to lure victims to take the bait.
Attacks that target a certain company or group of people are known as “spear phishing” attacks. It’s easy to be conned by these attacks when the hacker is a skilled manipulator and does their research on you and your company. But even the attacks that aren’t that well crafted have a high likelihood of working if the victim isn’t paying close attention.
The unprecedented takeover of multiple celebrity Twitter accounts in July was a result of a spear phishing campaign that targeted Twitter employees with account control access.
I’ll keep this short since malware is a very broad term and we cover a type of malware attack below. The term malware is actually an abbreviated form of “malicious software.” It can be spread through forced downloads, phishing schemes, or malicious ad content.
You’ve probably noticed that phishing attacks and malware attacks are sometimes interconnected. Phishing refers to the way an attack is deployed and malware refers to the actual malicious software that winds up on a victim’s computer. So, a phishing attack is not always a malware attack, though it can be. And vice versa.
Ransomware is the most common form of malware attack. The malware users downloads (or is forced to download) allows hackers to encrypt user files (or entire computers, networks, etc.) and then ask that a ransom be paid.
In July, the GPS navigation company Garmin had a multi-day outage as the result of a ransomware attack. The hackers encrypted parts of their network which blocked users from being able to use Garmin devices.
A DDoS attack occurs when an attacker targets a network or server in an attempt to overwhelm the system with a large amount of internet traffic. A DDoS attack is an interesting hybrid of malware and botnet attacks.
A computer or device is infected by malware which turns those devices into “bots,” with the hacker gaining control over said bots. These bots then send requests to the targeted server aiming to overflow systems and create a “denial of service” error. That’s a very high-level look at DDoS attacks. Under the umbrella of DDoS attacks, there are many types of attacks.
In February 2020, AWS mitigated a DDoS attack that was 2.3 Tbps in size (the largest DDoS attack ever, nearly doubling the previous record).
This is when a malicious actor intercepts a communication between two parties. Most commonly we see this when a user is temporarily redirected to a fake login page that will collect personal information or login credentials. Think of it as an advanced form of a phishing attack. It’s incredibly technical and the hacker needs to have strong coding abilities, so it doesn’t rely on their ability to manipulate. Instead, it completely hinges on their ability to camouflage themselves.
These types of attacks are where DNS encryption is essential.
Sometimes also called “domain theft”, hijacking is when a domain name is stolen from the holder of the registered domain. The true owner of the domain is completely locked out. One method of hijacking involves attackers taking control of the domain owner’s DNS records. And note that we’re not just talking about a WordPress-hosted website here. We’re talking about complete ownership of a domain. This means they gain control over directing website visitors and can direct all incoming and outgoing emails.
The hijacker might continue to run the website as-is in order to gain information about the website’s users (and in turn steal from them), turn the hacked website into a way to deploy malware, or simply sell the hijacked domain through secondary markets.
In one famous case, former basketball player Mark Madsen purchased a domain from eBay for more than $100,000. The domain purchased was actually a hijacked domain.
Note that this is the one attack listed here where DNS filtering can’t help you completely (except in cases where domain hijacking is attempted via phishing schemes). I recommend you lock down the logins for your registered domain (such as your GoDaddy account), add 2FA, and use strong passwords.
To avoid placing your company at risk of DNS level attacks, you need to implement DNS filtering with DNS encryption enabled. When looking for a DNS security solution you should also prioritize network redundancy and the ability to log DNS activity and report on it.
But it doesn’t start and stop with your DNS filtering provider. Use a role-based access approach, meaning only the people who need access to any given system get access to it. Change your passwords frequently and make 2FA mandatory when applications have the option for it. Finally, work toward comprehensive cybersecurity awareness training within your organization.
When everyone is more familiar with types of attacks they might encounter and how they can protect themselves, your company is safer.