Valgeir Haukdal

See better to sleep better: a lesson for DNS security

Not seeing your DNS clearly never makes problems go away. If anything, it compounds them.

We've recently written a blog about network visibility and I thought I'd follow it up from a more practical (and somewhat entertaining) perspective.

Domain in distress

Not too long ago a security researcher has taken over one of the two authoritative name servers for the entire .cd ccTLD (country code top-level domain; the two-character designation assigned to countries to use).

In a nutshell, and you should read the whole story over on TechCrunch, the domain for one of the two authoritative name servers for the Congolese .cd ccTLD expired and the Congolese government didn’t renew it. It’s unclear why, but it doesn’t really matter insofar as the fact that .cd domains became vulnerable if someone with malicious intent would’ve bought the domain. With control over the name server’s domain, they could’ve created fake (but technically real) SSL certificates to forge authenticity, redirect URLs to spoofed sites in order to capture personal or financial information, or just simply try and block traffic from ever reaching the intended websites and services.

Luckily, a security researcher (which is another way of saying “ethical hacker”) called Fredrik Almroth has been monitoring the expiration of such important domains, and scooped up the name server’s DNS entry as soon as it became publicly available. Since then, another name server has been designated by the Congolese government, and the old one remains inactive for security reasons.

This domain-in-distress story is entertaining inasmuch as it ends, if not happily, at least not in catastrophe. But it just as easily could’ve ended in a very different way.

Why should I care?

It may not be readily apparent how the above story about a Congolese ccTLD’s name server is relevant to enterprise network managers.

It's true, the goings-on of the public internet usually aren't that relevant to our core audience. Men&Mice customers are often hailing from the business world. (Although we can and are happy to work with organizations in the public sector as well.)

But there's a great lesson here that enterprise companies would be smart to learn: DNS can be vulnerable in more ways than through a DDoS attack.

Network security through network visibility

As we said, network visibility is an essential component of network security. Your company's domains may be safe from expiring, but lack of visibility creates vulnerabilities, not unlike the one shown for the Congolese name servers.

Without visibility within your networks, stale DNS records can create vulnerabilities that malicious elements can exploit. A single spoofed subdomain can severely damage your business operations, either as the primary attack or the prelude for something else.

Attackers are often smart and sophisticated. (Nigerian princes are no longer as effective as they once were. And thanks to good-intentioned experts like Fredrik above, Congolese princes aren't likely to rise anytime soon.) Even for a trained IT security professional, a spoofed website or email might be difficult to recognize.

Network visibility shines a light on not just resources being under- or overused but also on those forgotten and ripe for exploitation.

Network security through network security

Visibility, however, isn't a silver bullet. It's only one component, no matter how important, in an array of available tools to keep your networks (and your business) safe.

One such tool, particularly effective against the DNS spoofing/cache poisoning attacks, is DNSSEC. In response to the Congolese name server's story, ICANN pointed out the benefits of using DNSSEC that eliminate many vulnerabilities attackers could exploit.

Unfortunately, DNSSEC adoption is still very low, particularly in private environments. At the time of this writing, Verisign reports just over 2 million .com domains secured with DNSSEC. To put that number in perspective, at the end of September 2020 there were over 150 million .com domains registered. That makes DNSSEC adoption for the .com domains at around 0.014%.

Getting started (to be more DNSSEC-ure)

I understand, deploying new things on complex and mission-critical networks is always a challenge. This is especially true in the case of security features that are often perceived to create obstacles to convenience.

Still, establishing proper network visibility is a good start. Gaining insight into the state of security across your networks is a smart move regardless of what follows. Maybe simply pruning stale DNS records will eliminate an acceptable amount of risk. Perhaps it confirms the need to go further and deploy DNSSEC or other security tools.

One thing is certain: not seeing the problem doesn't make it go away. If anything, it compounds it.