The Anatomy of A DNS Hijacking

The race to the cloud has created a lightning rod for DNS Attacks.

Authoritative DNS plays a critical role in our connected culture. What started out as a simple ‘phone book’ routing requests to websites; now touches virtually every application and computing activity connected to the sprawl of clouds, data centers, content delivery networks (CDNs) and devices.

While no one company controls the entire internet and application delivery infrastructure, DNS sits at the intersection of it all. Even so, many organizations still use basic or legacy DNS for their domains, apps and users, unaware of the risks.

Authoritative DNS’ ubiquity and critical position in application infrastructure make it both a prime target for attackers and an opportunity to dodge downtime and defend against threats. One such threat, DNS Hijacking, has increasingly made headlines alongside some of the most damaging cyber attacks.

So, What is DNS Hijacking?

DNS Hijacking, also called Domain Hijacking  is when bad actors redirect or "hijack" DNS addresses and reroute traffic to bogus DNS servers. Once a DNS address is successfully hijacked to a bogus DNS server, it translates the legitimate IP address or DNS name into the IP addresses of the hacker’s malicious website of choice.

DNS hijacking can occur with any size website, directing folks to malicious websites without their knowledge. Since the website owners depend upon legitimate DNS server that are issued by their Internet Service Providers (ISP), DNS hijackers use malware in the form of a Trojan to exchange the legitimate DNS server assignment by the ISP with a manual DNS server assignment from a bogus DNS server. When users visit legitimate websites, they’re automatically hijacked to a malicious website disguised as the legitimate one. The switch from the legitimate DNS server to the bogus DNS server goes unnoticed by both the user and the legitimate website owner. At this point the malicious website gets to do pretty much anything it wants, for as long as the person using it believes it’s where they’re meant to be.

What Are Cyber Criminals After?

Over the past several years there have been many high-profile domain hijackings, including Wikileaks and The New York Times. Although the causes of each aren’t always clear, one of the most common paths to gaining control of a .com property is social engineering. Using phishing or other clever methods, attackers gain credentials of administrators, and then change DNS resources (like the registration) to gain control of the domain and then misdirect traffic from that domain to malicious sites. Sometimes a domain hijack is an embarrassment, while other times it has serious financial or privacy consequences from hacking activity that can occur on the misdirected site.

As a cyber attack, DNS Hijacking has a host of uses, including injecting malware into your machine, promoting phishing scams and advertising on high-volume websites. Ultimately, it’s possible to suffer a data breach following a DNS Hijacking, as credentials can easily be mined while the victim is active on the attacker’s bogus site.

Defending Against DNS Hijacking

Historically, organizations have held back from using DNSSEC, because implementing it would mean sacrificing the DNS traffic management capabilities they rely on to deliver high quality online services.

Thing is, it doesn’t have to be this way. Next-gen DNS lets organizations implement advanced traffic management capabilities and apply them to their own DNSSEC signed zones.

Although no layer of your application delivery infrastructure is immune to attack, with the right steps, and a properly configured, redundant and anycasted next-generation DNS infrastructure; organizations are far better placed to withstand attacks, dodge downtime and dramatically increase application Resiliency. Here are three strategies for a more secure and resilient overall DNS posture:

Upgrade DNS in the Application Infrastructure

The lack of attention of DNS lags behind the innovation of the infrastructure in the cloud,

creating cracks for possible exploitation. As organizations increasingly embrace a new generation of “cloud first” computingenvironments with multiple, connected clouds, data centers and CDNs, they also need to adapt and upgrade the underpinning infrastructure, including DNS and security technologies and policies.

Use DNSSEC, and Confirm Your Providers Do Too

Application layers use security protocols (like HTTPS, DMARC, etc.), and DNS is no exception. The Domain Name System Security Extensions(DNSSEC) is one of them. DNSSEC reinforces the authenticity of DNS query responses by using digital signatures to authenticate communications, protecting applications (and the caching resolvers used by those applications) from using fake DNS data in cache poisoning and spoofing attacks.

Deploy a Second DNS Network for Redundancy and Resiliency

The sites that bounce back the fastest from some of the biggest cyber attacks have deployed a now mission-critical strategy: redundant DNS. Even with anycasting, you still have a single point of failure for technical errors, outages and security events. Managing redundant networks can be challenging with some providers. Just like a multitude of clouds, not all DNS networks easily share information, or have the same levels of security.

DNS is one of the core technologies used in the delivery of the modern Internet, but it’s more than just a name-to-IP address mapping database. Modern DNS should be built on an API-first architecture with easy-to-use user interfaces, precise routing controls, and industry-leading support.

It’s a critical component of modern application delivery at enterprise scale, including DevOps, IoT, data center migrations and hybrid and multi-cloud deployments. For a crash course in understanding, and configuring your DNS, a breakdown of potential security risks, and DNSSEC; download the DZone practical DNS reference guide.